What is the best approach for data visualization using tstats? I am new to using tstats, I moved away from using the regular search index because it speeds up the query process. for example making...
See more...
What is the best approach for data visualization using tstats? I am new to using tstats, I moved away from using the regular search index because it speeds up the query process. for example making this query to show the vulnerabilities found on each ip | tstats summariesonly=t dc(Vulnerability.signature) as vulnerabilities from datamodel=Vulnerability by Vulnerability.dest
| sort -vulnerabilities
| rename Vulnerability.dest as ip_address
| table ip_address vulnerabilities for example, first line from that query show ip 192.168.1.5 has 4521 vulnerabilities found then I also created another detail table to verify and show some other columns related to that ip (click ip and send token) but it shows a different amount of data (4638 events). | tstats summariesonly=t count FROM datamodel=Vulnerability WHERE Vulnerability.destination="192.168.1.5" AND Vulnerability.signature="*" BY Vulnerability.destination, Vulnerability.signature, Vulnerability.severity, Vulnerability.last_scan, Vulnerability.risk_score, Vulnerability.cve, Vulnerability.cvss_v3_score, Vulnerability.solution
| `drop_dm_object_name(Vulnerability)`
| rename destination as ip_address
| fillnull value="Unknown" ip_address signature severity last_scan risk_score cve cvss_v3_score solution
| table ip_address signature severity last_scan risk_score cve cvss_v3_score solution and I know this is related to the inaccuracy of the query, because if Ichange the "BY" parameter it will change the amount of data displayed too. how to make the data count of this query match the same output as the first query, but still display other fields even though they are empty.