I have the "Splunk Add-on for Unix and Linux", the "Splunk App for Unix and Linux", and "Linux Auditd" applications installed. When I bring up the "Linux Auditd" and look for data, there is a lot of nothing. The command starts with | tstats count WHERE [|inputlookup auditd-indicies] ...
Does tstats require some kind of data model? If so, is the an existing one to use?
... View more