Splunk Commands : Discussion on tstats command
ฝัง
- เผยแพร่เมื่อ 13 ส.ค. 2024
- In this video I have discussed about tstats command in splunk.
Use the tstats command to perform statistical queries on indexed fields in tsidx files. The indexed fields can be from normal index data, tscollect data, or accelerated data models.
Diagram and code used in this tutorial can be downloaded from the below repo :
github.com/sid... - วิทยาศาสตร์และเทคโนโลยี
![[LIVE] สิ้นสุดการรอคอย | พี่ดู๋ สัญญา คุณากร | #คุยให้เด็กมันฟัง EP.44/1 (10/08/67)](http://i.ytimg.com/vi/rBNZCh-QEYE/mqdefault.jpg)
Thank you sir! The way you teach, in these videos, every concept looks very simple...Keep sharing your knowledge!
Great video with excellent structure and explanations. Thanks for sharing your knowleged about splunk.
Thank you 👍
You are a brilliant guy Sir....Good explanation
Thanks for the tutorial! Really helpful. Brilliant channel! Looking forward to more of your videos.
Thank you so much for the videos!!!
If you're not using tstats and data models (with acceleration), you don't understand how to use Splunk at scale.
Excellent video as usual sir.
I'd also recommend people look at these Spunk .conf presentations for more inspiration on this topic. conf.splunk.com/watch/conf-online.html?search=tstats#/
It's so important to know how to use this for reports and dashboards if you want them to work super fast.
Splunk Enterprise Security wouldn't exist without these features.
Thank you for sharing the splunk conf link... Its an excellent read.
superb
too good, cant thank you enough
Very good tutorial. One question regarding acceleration: what is the recommended summary range? You chose 7 days in your example, but what are the advantages/disadvantages of choosing a different range?
It purely depends on the date range you are going to use in your pivot report. For example, if you have a data model that accelerates the last month of data but you create a pivot using one of this data model's dataset that runs over the past year, the pivot will initially only get acceleration benefits for the portion of the search that runs over the past month.
if you use bigger range it will take more space and building the summary will also take time.
Could you please help, how to add the "|transaction keepvicted=true by sessionId" in DataModel ?
Hi Debashis,
Please refer the below link and see if this is helpful,.
answers.splunk.com/answers/232663/how-to-create-a-data-model-from-a-subset-of-all-tr.html
fyi - walklex is available in SplunkWeb.
Nice video ..Where exactly the summary index data has been stored ?. Is it on indexers or SH ?.
Summary index is just like other indexes, only difference is how data are stored over there, so indexers.
How do you run a tstats query against the Threat Intelligence Datamodel?
Example:
| tstats summariesonly=true count
from datamodel=“Threat_Intelligence.Threat_Activity”
where nodename=“Threat_Activity.IP_Intelligence” by IP_Intelligence.threat_key
It would be the same way you use tstats for other data models. Any specific error you are getting for the SPL you have given?
@@splunk_ml
The search SPL I listed above doesn't work since the file structure for the Threat Intelligence Datamodel only "Events" and "Searches" so when I attempt to run a stats command for IP_Intelligence to list city, postal code, country it doesn't work. No errors, just no return data even though the pivot shows data is present.
Sir I can you please tell how to upload that .emmx file like what source type we should use?. It will be very helpful for me
That is the mindmap I used for the video, you can ignore that file.
@@splunk_ml Thank You Very Much Sir
Could you make an video on rest api call please. Thanks in advance
I created some... Please have a look at the advanced searching and reporting playlist.
Bro how to optimize a splunk query?
The first step is to see the job output.. There you will see the details about which command is taking more time...also you should see the converted query. I will try to create content for this.