Splunk Search

Questions regarding datamodel, stats, NOT, and Macros in my query

Communicator

This is the query I have:

| tstats summariesonly count from datamodel=ThreatIntelligence.ThreatActivity where NOT [| ppf_subsearch_dm("ppf_threat_activity","threat_match_field,threat_match_value",now(),"Threat_Activity")] by ThreatActivity.threatkey | drop_dm_object_name("Threat_Activity") | get_threat_attribution(threat_key) | stats sum(count) as count by threat_category | sort 10 - count

I have a couple questions regarding it:

1) What is the datamodel=ThreatIntelligence.ThreatActivity part doing? If it was just (for example): datamodel=ThreatIntelligence, then it would be counting from the data model node that is named "ThreatIntelligence" (if I'm not mistaken). So what does the .Threat_Activity do to it?

2)Similar to the first question, what is the "by ThreatActivity.threatkey" part doing? I believe the "by" means that it's aggregating by the field "ThreatActivity.threatkey". Again, what is the .threat_key doing there?

3) What is the stats sum(count) as count by threatcategory part doing? I've read through the stats page on the Splunk reference site but I'm still not 100% sure what stats sum does. I believe that the other part of that command is renaming what stats sum(count) did as count and aggregating by the field threatcategory.

4)Regarding the NOT operator, does the NOT apply to all of: ppf_subsearch_dm("ppf_threat_activity","threat_match_field,threat_match_value",now(),"Threat_Activity") ? Also, what is the square bracket doing there and why does a pipe directly follow the NOT operator?

5) Does anyone have any idea of what any of the macros are doing? I don't have the macro definitions for them and I also don't have access to them. I'm pretty sure that the `summariesonly' one directly following tstats just sets tstats to true. But other than that, I'm lost.

If anyone could help me with all or any one of the questions I have, I would really appreciate it.

1 Solution

SplunkTrust
SplunkTrust

Q 1 and 2:
There is a data model named "ThreatIntelligence" and there is a child node under that data model called "ThreatActivity".
Wherever you see "datamodel=ThreatIntelligence.ThreatActivity", the search is selecting data from child node ThreatIntelligence.ThreatActivity. (it's a data hierarchy. Consider there is data model for Cars and there is child node for Electric cars, so if you want to query data for Electric cars, you'd use Cars.Electric)
Wherever you see "by ThreatActivity.threatkey", the aggregation is done with group by of field threatkey which is available in Node ThreatActivity.

Q 3: I would suggest to not to post duplicate posts.
Read answer from other post: https://answers.splunk.com/answers/453887/stats-sumcount-by-foo.html

Q 4:
The subsearch [| ppf_subsearch_dm("ppf_threat_activity","threat_match_field,threat_match_value",now(),"Threat_Activity")] (subsearches are enclosed within square brackets, they start with either command search OR a pipe symbol based on the subsearch. What subsearch is running is defined in macro ppfsubsearchdm, since you don't have access, we'll not know what that does.
The subsearch will return a series of key value pair (for example fieldname="fieldvalue"). If there are multiple rows returned by subsearch, by default they will be added a giant nested OR statemenet (e.g. ((fieldname="fieldvalue1") OR (fieldname="fieldvalue2")...). The NOT operator will be just added in front of the nested OR and will cause results to get filtered where the OR condition is matched. (regular NOT logical operator)

Q 5:
We'll be in same situation as you're. We can't tell what macro does unless we have the definition. For few my guess will be this
dropdmobjectname("ThreatActivity") = Rename any fields with patttern ThreatActivity.fieldname to fieldname.
get
threatattribution(threatkey) = Some sort of lookup/case statement which adds fields threatcategory based on field threatkey.

View solution in original post

SplunkTrust
SplunkTrust

Q 1 and 2:
There is a data model named "ThreatIntelligence" and there is a child node under that data model called "ThreatActivity".
Wherever you see "datamodel=ThreatIntelligence.ThreatActivity", the search is selecting data from child node ThreatIntelligence.ThreatActivity. (it's a data hierarchy. Consider there is data model for Cars and there is child node for Electric cars, so if you want to query data for Electric cars, you'd use Cars.Electric)
Wherever you see "by ThreatActivity.threatkey", the aggregation is done with group by of field threatkey which is available in Node ThreatActivity.

Q 3: I would suggest to not to post duplicate posts.
Read answer from other post: https://answers.splunk.com/answers/453887/stats-sumcount-by-foo.html

Q 4:
The subsearch [| ppf_subsearch_dm("ppf_threat_activity","threat_match_field,threat_match_value",now(),"Threat_Activity")] (subsearches are enclosed within square brackets, they start with either command search OR a pipe symbol based on the subsearch. What subsearch is running is defined in macro ppfsubsearchdm, since you don't have access, we'll not know what that does.
The subsearch will return a series of key value pair (for example fieldname="fieldvalue"). If there are multiple rows returned by subsearch, by default they will be added a giant nested OR statemenet (e.g. ((fieldname="fieldvalue1") OR (fieldname="fieldvalue2")...). The NOT operator will be just added in front of the nested OR and will cause results to get filtered where the OR condition is matched. (regular NOT logical operator)

Q 5:
We'll be in same situation as you're. We can't tell what macro does unless we have the definition. For few my guess will be this
dropdmobjectname("ThreatActivity") = Rename any fields with patttern ThreatActivity.fieldname to fieldname.
get
threatattribution(threatkey) = Some sort of lookup/case statement which adds fields threatcategory based on field threatkey.

View solution in original post

Communicator

Great, thank you!

0 Karma