Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: What do certain parts of my correlation search mean?

Explorer

Hello everyone
i've just looking into content management correlation searches' code and I couldn't understand some parts of it!

these are my questions:
what is the difference between tstats and 'tsats'
why do they put some entities into $?

for example:

| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

the code above is for "Entity Investigator Search".

and the last question, for now, is what is the meaning of "dropdmobject_name"??

I surf the net but I couldn't find the best answer or any answers for my questions!

Thank YOU

0 Karma
Highlighted

Re: Splunk Enterprise Security: What do certain parts of my correlation search mean?

SplunkTrust
SplunkTrust

This particular question is not Splunk enterprise security specific, the `` symbols are macros been used which then substitute to the contents of the macro. The $$ symbols are for substituting variables...

Highlighted

Re: Splunk Enterprise Security: What do certain parts of my correlation search mean?

Explorer

Thank you @ garethatiag
you mean that for both 'x' and $x$, symbols are for substitution, right?

what about my last question? could you please give me some hints?

With Regards

0 Karma
Highlighted

Re: Splunk Enterprise Security: What do certain parts of my correlation search mean?

SplunkTrust
SplunkTrust

The $variable$ is a token/variable, if this was a dashboard you could refer to Token usage in dashboards
For macros refer to search macros , finally you might want to use the job inspector this will show you the final search result, although it be be tricky to read the search information.

Finally the Splunk ES documentation has information about creating correlation searches , the correlation searches can be quite complicated to understand in ES. I do not have access to an ES instance so I cannot answer all your questions, but do accept the answer if it does answer your question...

0 Karma
Highlighted

Re: Splunk Enterprise Security: What do certain parts of my correlation search mean?

Explorer

Yes; you helped me a lot. I really appreciate

0 Karma
Highlighted

Re: Splunk Enterprise Security: What do certain parts of my correlation search mean?

Super Champion
  1. 'tstats' (single tick) is a macro . You can check in macros, the expansion of it within ES app
  2. $xyz$ is for dynamic substitution
  3. dropdmobject_name is another macro to remove the parent object of CIM datamodels (eg The original field value would be Authentication.src , but if you apply the dropdmobject_name , then the field becomes src )

View solution in original post