Splunk How to Convert a Search Query Into a Tstats Query
ฝัง
- เผยแพร่เมื่อ 25 ต.ค. 2024
- Splunk Tstats query can be confusing when you first start working with them. This video will focus on how a Tstats query is written and how to take a normal SPL query and convert it into a Tstats query.
Splunk Data Models and why you should use them • Splunk Data Models - W...
Getting the data model restricted to specific indexes • Splunk Data Models Res...
Eventtypes for the data model • Splunk Data Models and...
Tagging the data for the data model • Splunk Data Models and...
Field aliasing for the data model • Splunk Data Model Fiel...
Converting a normal query into a tstats query - • Splunk How to Convert ...
Join this channel to get access to early release of videos and exclusive training videos that will help make you L.A.M.E. ninja: / @lamecreations_guides
Visit our discord channel to post questions and suggestions for what you want to learn. / discord
The latest L.A.M.E. Splunk apps are available at
www.github.com...
2 weeks I started messing around with splunk tstats, today I am messing around with macros and CIM. Amazing material and delivery.
Glad the material is helping you out. Thanks for the kind words.
Thank you for this series. It has helped me gain a better understanding of data models as I prepare for the Power User certification exam.
I'm glad it was of help.
Your videos are like no other! Super super super useful. They have helped me a lot understanding and using Splunk as a new Security Analyst! Thank you SO MUCH!
Glad you like them!
Thank you for all those details, I really enjoyed all your videos. Can you please make some more videos about the Infosec app and the use of its Dashboards?
I am always up for a challenge. I have never seen the Infosec app before
I asume you are referring to this app
splunkbase.splunk.com/app/4240
I will take a look and give it a video.
This app looks awfully similar to the splunk security essentials app.
splunkbase.splunk.com/app/3435
which I am familiar with and I can do a video on this one as well.
Thanks for the kind words.
Could you also make a video about prestats=t ?
I will put it on my roadmap. Thanks for the suggestion.
hi man, great video as always!
how do you use values in tstats? is there any way to make more complicated queries with evals joins and etc?
I will put you a tstats (advanced) video together. I will shoot for having it live by end of week. thanks for the suggestion. Your second request was a little harder for me to understand. Are you asking if you can use evals and joins in a tstats query? If that is your question, the answer is absolutely. I will try to demo those. Join is a completely different beast and I need to dedicate a video exclusively to join (it is the same in tstats and normal search) but join is something that is often done inefficiently so thanks for reminding me to do a video on that one as well. If I missed the point of your message feel free to email me, comment again, or send me a message on discord.
@@lamecreations_guides no no man you were actually on point...i've joined the discord so we can discuss more there :D
thank you very much!
@@lamecreations_guidesdid you ever make this video?
whats the major difference between calling data via from datamodel and tstats?
tstats is a method of looking across the "tsidx" data, which is the accelerated data. The data model is just a way of pulling out data to be accelerated. So they work hand in hand. data models can be accelerated or not acclerated and you can search a datamodel using tstats. if the data model is accelerated, the tstats query will be fast, if it is not acclerated, a tstats query will still run but it won't gain any speed benefits. Hope this helps. Data models are a way of exposing _raw fields to the tstats queries.
I so appreciate your instruction! As a newcomer to Splunk AND cybersecurity, these videos are a wealth of real-world insight! Thank you!!!
Awesome, thank you!