Re: tstats, no using stats-function-field, using r...

nasha430 · ‎05-28-2021

Hi,

I use tstats, but tstats use required argument ( stats-func ).
I want to write SPL.

| tstats summariesonly=t <field1>, <field2> FROM datamodel=<datamodel-name> BY <field3>

| dedup <field1>
| stats sum(<field2>) by <fields1>

Is this possible??

datamodel acceleration is done.
I'm looking for manual for this,but I don't detect manual about tstats.

nasha430 · ‎05-30-2021

@aasabatini Thanks you, your message.

but I want to see field, not stats field.
Based on your SPL, I want to see this.

| tstats `summariesonly` Authentication.app as app,Authentication.user as user, 
count from datamodel=Authentication.Authentication where Authentication.action="failure"  by Authentication.action,Authentication.src 
| dedup user
| stats sum(app) by user

because I need deduplication of user event and I don't need deduplication of app data.

aasabatini · ‎05-31-2021

Hi @nasha430

I don't understand your request, with the Tstats function is not possible create a search with a normal SPL, you must use stats function like values or sum, maybe you can use datamodel command but is not accelerated.

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

nasha430 · ‎05-31-2021

@aasabatini Oh! I find solution!!

Thanks... because you listen my issue, I find my solution. ㅠㅠ.

This is my way.

| tstats summariesonly=t values(<dataset>.reg_no) as reg_no FROM datamodel=<datamodel> BY <dataset>.user <dataset>.FILE_HASH
| dedup <dataset>.user <dataset>.FILE_HASH
| stats sum(reg_no) by <dataset>.user

Thanks aasabatini!! good luck.

aasabatini · ‎06-03-2021

@nasha430 Great!

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

nasha430 · ‎05-31-2021

@aasabatini Hi!

In my thought If tstats use 'list' command, my issue can be solved.

I see search reference, can't use 'list' function.
Can it be Other way?

nasha430 · ‎05-31-2021

@aasabatini Hello!
Please, let you know my conditional factor. Exactly not use tstats command. ( I still am solving my situation, I study lookup command. I will finish my situation with hope.)

fields : user(data: STRING), reg_no(data:NUMBER), FILE_HASH(data : HASHCODE)

1. I use 'datamodel acceleration'.
2. I do 'FILE_HASH(field) deduplication'. Event have deduplicated.

3. After deduplication, I use sum(reg_no).

So I try code.
| tstats summariesonly=t reg_no FILE_HASH FROM datamodel="<datamodel>" by user

| dedup FILE_HASH

| stats sum(reg_no) by user.

But tstats don't use fields... so I have to find other way.

I will try lookup command! Maybe let me know other thinking or command.

aasabatini · ‎05-28-2021

Hi @nasha430

absolutely yes!

below you can find my example, I used authentication datamodel

hope can help

| tstats `summariesonly` values(Authentication.app) as app,values(Authentication.user) as user, 
count from datamodel=Authentication.Authentication where Authentication.action="failure"  by Authentication.action,Authentication.src 
| dedup user
| stats sum(user) by app

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

tstats, no using stats-function-field, using row-field.

tstats

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies