This query appears to be unsuitable for conversion to tstats. It uses too many fields that must all be indexed for tstats to supply them. Also, the query is doing its own analysis of the events, but tstats provides aggregated values, not events, which would break the calculations done in the query.
What problem are you trying to solve? Perhaps tstats is not part of the answer.
I already converted up to this part
| tstats count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype="cisco:sma:submissions"
It works as expected but I stuck to complete now
I'm sure you are stuck, as expected.
The current tstats command produces only one field: count. You can get some (and maybe all) of them using the list or values function, but any association between the fields will be lost.
For example,.
| tstats count, values(analysis.threat_score) as ats, values(analysis.metadata.sandcastle_env.analysis_start) as start, ... from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype="cisco:sma:submissions"