PLZ upvote if you use this!
Copy out all field names from your DataModel. (move to notepad++/sublime/or text editor of your choice).
1. add "values" command and the inherited/calculated/extracted DataModel pretext field to each fields in the tstats query
(in the following example I'm using "values(authentication.YourDataModelField)
*note add host, source, sourcetype without the authentication.fieldname - as they are already in tstats so is _time but I use this to groupby)
2. add "from" clause to choose your DataModel (in the following example I'm using authentication DataModel)
3. add "where" clause to specify field values (in the following example I'm using action=failure and limiting the signature_id to the 3 windows failures I care about in this usecase) also can specify nodename or child datamodel object/etc - note you cannot wildcard this field)
4. add "by" clause to help narrow the dataset (in the following example I'm using user, src, signature_id, and _time)
5. table all (note this will give you a table view of all the data in that datamodel - I like to use this as it makes more sense to me starting with everything and removing what I do not need)
| tstats count as count values(Authentication.user)
, values(Authentication.tag)
, values(Authentication.dest_bunit)
, values(Authentication.dest_category)
, values(Authentication.dest_nt_domain)
, values(Authentication.dest_priority)
, values(Authentication.duration)
, values(Authentication.response_time)
, values(Authentication.signature)
, values(Authentication.signature_id)
, values(Authentication.src_bunit)
, values(Authentication.src_category)
, values(Authentication.src_nt_domain)
, values(Authentication.src_priority)
, values(Authentication.src_user_bunit)
, values(Authentication.src_user_category)
, values(Authentication.src_user_priority)
, values(Authentication.user_bunit)
, values(Authentication.user_category)
, values(Authentication.user_priority)
, values(Authentication.action) as action
, values(Authentication.app)
, values(Authentication.src)
, values(Authentication.src_user)
, values(Authentication.dest)
, values(host)
, values(source)
, values(sourcetype)
from datamodel="Authentication"."Authentication"
where Authentication.action=failure
(Authentication.signature_id=4625 OR Authentication.signature_id=4772 OR Authentication.signature_id=4771)
by Authentication.user, Authentication.src, Authentication.signature_id, _time
| table *
Lastly, specify the fields you want - replace those in the tstats and table commands, add post processing stats/rex/lookups/ etc.
(note this part I did not show in example)
and as Christopher Walken would say "BAM!"
... View more