×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
riat
New Member
Member since: ‎01-15-2021
‎01-16-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-15-2021
Activity Feed
View All

how to accelerate get timechart data from datamode...

by in Splunk Search
‎01-15-2021 09:06 PM
‎01-15-2021 09:06 PM
Hai, please I wanna ask how to accelerate to get timechart with datamodel from this query   | datamodel Intrusion_Detection IDS_Attacks search | search ("IDS_Attacks.src"="10.0.0.0/8" OR "IDS_Attacks.src"="172.16.0.0/12" OR "IDS_Attacks.src"="192.168.0.0/16") AND ("IDS_Attacks.severity"="high" OR "IDS_Attacks.severity"="critical") | table _time,IDS_Attacks.category | timechart useother=`useother` count by IDS_Attacks.category   I have tried to use tstats but the data is not suitable because with tstats command there are some count data which are calculated to be just 1 event in so that timechart not clear, this tstats command I used before   | tstats allow_old_summaries=t count from datamodel=Intrusion_Detection.IDS_Attacks where ("IDS_Attacks.src"="10.0.0.0/8" OR "IDS_Attacks.src"="172.16.0.0/12" OR "IDS_Attacks.src"="192.168.0.0/16") AND ("IDS_Attacks.severity"="high" OR "IDS_Attacks.severity"="critical") by _time span=s IDS_Attacks.category | timechart useother=`useother` count by IDS_Attacks.category   thanks for your help before best regard ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-16-2021 06:51 AM