Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to use top alongside with tstats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to use top alongside with tstats
how can I use top command after migrating to tstats? I need the same result, but looks like it can be done only using top, so I need it
index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" status IN ("*")
| rename analysis.threat_score AS ats
| where isnum(ats)
| eval ats_num=tonumber(ats)
| eval selected_ranges="*"
| eval token_score="*"
| eval within_selected_range=0
| rex field=selected_ranges "(?<start>\d+)-(?<end>\d+)"
| eval start=tonumber(start), end=tonumber(end)
| eval within_selected_range=if(
(ats_num >= start AND ats_num <= end) OR token_score="*",
1,
within_selected_range
)
| where within_selected_range=1
| rename "analysis.behaviors{}.title" as "Behavioral indicator"
| top limit=10 "Behavioral indicator"
I tried this but it doesnt return me percent
| tstats prestats=true count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" Secure_Malware_Analytics_Dataset.status IN ("*") by Secure_Malware_Analytics_Dataset.analysis_behaviors_title
| chart count by Secure_Malware_Analytics_Dataset.analysis_behaviors_title
| sort - count | head 20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure why you are using prestats=true - try something like this
| tstats count as Count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where index IN (add_on_builder_index, ba_test, cim_modactions, cisco_duo, cisco_etd, cisco_multicloud_defense, cisco_secure_fw, cisco_sfw_ftd_syslog, cisco_sma, cisco_sna, cisco_xdr, duo, encore, fw_syslog, history, ioc, main, mcd, mcd_syslog, notable, notable_summary, resource_usage_test_index, risk, secure_malware_analytics, sequenced_events, summary, threat_activity, ubaroute, ueba, whois) sourcetype="cisco:sma:submissions" Secure_Malware_Analytics_Dataset.status IN ("*") by Secure_Malware_Analytics_Dataset.analysis_behaviors_title
| eventstats sum(Count) as Total
| eval Percent=100*Count/Total
| sort - Count | head 20- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good try, but it skipped the list of the titles I have in my input query, I have a correct output of counts, but without titles
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what this means, please can you show what you are getting and what you expected to get?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here's what I get from my previous query, and what I expect to get
Environment Convicted Not Convicted
| Environment | convicted | not convicted |
| browser | 8 | 12 |
| win10 | 79 | 250 |
| win10-x64-2-beta | 0 | 117 |
| win10-x64-browser | 12 | 6 |
| win7-x64 | 2 | 832 |
here's what I get from the query you provided, I hope it helps
Secure_Malware_Analytics_Dataset.analysis_behaviors_title Count Percent Total
| Secure_Malware_Analytics_Dataset.analysis_behaviors_title | count | percent | total |
| Executable Imported the IsDebuggerPresent Symbol | 835 | 14.421416234887737 | 5790 |
| PE Contains TLS Callback Entries | 690 | 11.917098445595855 | 5790 |
| Executable with Encrypted Sections | 622 | 10.7426597582038 | 5790 |
| Executable Artifact Imports Tool Help Functions | 428 | 7.392055267702936 | 5790 |
| PE Checksum is Invalid | 403 | 6.960276338514681 | 5790 |
| Artifact With Multiple Extensions Detected | 364 | 6.286701208981002 | 5790 |
| Executable Signed With Digital Certificate | 277 | 4.784110535405873 | 5790 |
| Process Modified File in a User Directory | 250 | 4.317789291882556 | 5790 |
| Executable Signing Date Invalid | 220 | 3.7996545768566494 | 5790 |
| Possible Registry Persistence Mechanism Detected | 140 | 2.4179620034542313 | 5790 |
| PE DOS Header Initial SP Value is Abnormal | 138 | 2.383419689119171 | 5790 |
| Static Analysis Flagged Artifact As Anomalous | 86 | 1.4853195164075994 | 5790 |
| Windows Crash Tool Execution Detected | 85 | 1.468048359240069 | 5790 |
| Artifact Flagged Malicious by Antivirus Service | 81 | 1.3989637305699483 | 5790 |
| A Crash Dump File Was Created | 77 | 1.3298791018998273 | 5790 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is what you expected to get what you got from your non-tstats search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correct
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So your conversion to tstats is not complete then? Using the data you get back from tstats is there sufficient information for you to compile the results you want (or do you need a different version of the tstats search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is exactly why I'm here. My tstats query isn't completed, I need this data to be shown in logs as it used to be in my usual query (non-tstats one)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without seeing your events it is difficult to determine what you need to do with the tstats to get the data you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought showing my logs is enough with that in mind I need the exact command to be there
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you show your events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need this query to use top command, but looks like it should be rewritten first in some kind of way
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
