I'm trying to use eval within stats to work with data from tstats, but it doesn't seem to work the way I expected it to work. I'm hoping there's something that I can do to make this work.
Here's a simplified version of what I'm trying to do:
| tstats summariesonly=t allow_old_summaries=f prestats=t count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action!="unknown") by _time,sourcetype,All_Traffic.action span=1h
| `drop_dm_object_name("All_Traffic")`
| stats count as total_connections count(eval(action="allowed")) as allowed count(eval(action="blocked" OR action="dropped")) as blocked by _time, sourcetype
When I run that, I see valid numbers for total_connections, but the "allowed" and "blocked" values are all just "0"
The following works for me:
| tstats summariesonly=t allow_old_summaries=f prestats=f count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.action!="unknown") by _time,sourcetype,All_Traffic.action span=1h
| `drop_dm_object_name("All_Traffic")`
However, that doesn't present the data in the way I want it. I'd like to add things like percentage blocked per sourcetype, etc., with additional eval statements.
Any suggestions for how to get the stats command to work with those nested eval statements? Is that unsupported? (I've read that nested eval within tstats isn't supported, but that it is supported within stats)
Thanks!
... View more