i've just looking into content management correlation searches' code and I couldn't understand some parts of it!
these are my questions:
what is the difference between tstats and 'tsats'
why do they put some entities into $?
| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$
the code above is for "Entity Investigator Search".
and the last question, for now, is what is the meaning of "dropdmobject_name"??
I surf the net but I couldn't find the best answer or any answers for my questions!
This particular question is not Splunk enterprise security specific, the `` symbols are macros been used which then substitute to the contents of the macro. The $$ symbols are for substituting variables...
Thank you @ garethatiag
you mean that for both 'x' and $x$, symbols are for substitution, right?
what about my last question? could you please give me some hints?
The $variable$ is a token/variable, if this was a dashboard you could refer to Token usage in dashboards
For macros refer to search macros , finally you might want to use the job inspector this will show you the final search result, although it be be tricky to read the search information.
Finally the Splunk ES documentation has information about creating correlation searches , the correlation searches can be quite complicated to understand in ES. I do not have access to an ES instance so I cannot answer all your questions, but do accept the answer if it does answer your question...
'tstats'(single tick) is a macro . You can check in macros, the expansion of it within ES app
Authentication.src, but if you apply the dropdmobject_name , then the field becomes