Splunk Search

TSTATS where error

jwalzerpitt
Influencer

I am trying to run the following tstats search:

| tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" where "Malware_Attacks.action=allowed" from datamodel="Malware"."Malware_Attacks" 
| where 'infected_hosts'>100 
| eval const_dedup_id="const_dedup_id"

but I get the error:

Error in 'TsidxStats': WHERE clause is not an exact query

Any help would be appreciated

Thx

0 Karma
1 Solution

nickhills
Ultra Champion

it's "from where", as opposed to "where from"
Thus:
| tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" from datamodel="Malware"."Malware_Attacks" where "Malware_Attacks.action"=allowed

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

it's "from where", as opposed to "where from"
Thus:
| tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" from datamodel="Malware"."Malware_Attacks" where "Malware_Attacks.action"=allowed

If my comment helps, please give it a thumbs up!

jwalzerpitt
Influencer

That was it - TYVM

0 Karma

nickhills
Ultra Champion

If my answer helped, please consider accepting and/or upvoting so that other memebers of the community can see it was useful.

If my comment helps, please give it a thumbs up!
0 Karma

lakshman239
Influencer

Pls change to | tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" from datamodel="Malware"."Malware_Attacks" where "Malware_Attacks.action=allowed groupby Malware_Attacks.src

OsmanElyas
Explorer

| tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.user | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...