Your videos are like no other! Super super super useful. They have helped me a lot understanding and using Splunk as a new Security Analyst! Thank you SO MUCH!
Thank you for all those details, I really enjoyed all your videos. Can you please make some more videos about the Infosec app and the use of its Dashboards?
I am always up for a challenge. I have never seen the Infosec app before I asume you are referring to this app splunkbase.splunk.com/app/4240 I will take a look and give it a video. This app looks awfully similar to the splunk security essentials app. splunkbase.splunk.com/app/3435 which I am familiar with and I can do a video on this one as well. Thanks for the kind words.
I will put you a tstats (advanced) video together. I will shoot for having it live by end of week. thanks for the suggestion. Your second request was a little harder for me to understand. Are you asking if you can use evals and joins in a tstats query? If that is your question, the answer is absolutely. I will try to demo those. Join is a completely different beast and I need to dedicate a video exclusively to join (it is the same in tstats and normal search) but join is something that is often done inefficiently so thanks for reminding me to do a video on that one as well. If I missed the point of your message feel free to email me, comment again, or send me a message on discord.
tstats is a method of looking across the "tsidx" data, which is the accelerated data. The data model is just a way of pulling out data to be accelerated. So they work hand in hand. data models can be accelerated or not acclerated and you can search a datamodel using tstats. if the data model is accelerated, the tstats query will be fast, if it is not acclerated, a tstats query will still run but it won't gain any speed benefits. Hope this helps. Data models are a way of exposing _raw fields to the tstats queries.
2 weeks I started messing around with splunk tstats, today I am messing around with macros and CIM. Amazing material and delivery.
Glad the material is helping you out. Thanks for the kind words.
Thank you for this series. It has helped me gain a better understanding of data models as I prepare for the Power User certification exam.
I'm glad it was of help.
Your videos are like no other! Super super super useful. They have helped me a lot understanding and using Splunk as a new Security Analyst! Thank you SO MUCH!
Glad you like them!
Could you also make a video about prestats=t ?
I will put it on my roadmap. Thanks for the suggestion.
Thank you for all those details, I really enjoyed all your videos. Can you please make some more videos about the Infosec app and the use of its Dashboards?
I am always up for a challenge. I have never seen the Infosec app before
I asume you are referring to this app
splunkbase.splunk.com/app/4240
I will take a look and give it a video.
This app looks awfully similar to the splunk security essentials app.
splunkbase.splunk.com/app/3435
which I am familiar with and I can do a video on this one as well.
Thanks for the kind words.
hi man, great video as always!
how do you use values in tstats? is there any way to make more complicated queries with evals joins and etc?
I will put you a tstats (advanced) video together. I will shoot for having it live by end of week. thanks for the suggestion. Your second request was a little harder for me to understand. Are you asking if you can use evals and joins in a tstats query? If that is your question, the answer is absolutely. I will try to demo those. Join is a completely different beast and I need to dedicate a video exclusively to join (it is the same in tstats and normal search) but join is something that is often done inefficiently so thanks for reminding me to do a video on that one as well. If I missed the point of your message feel free to email me, comment again, or send me a message on discord.
@@lamecreations_guides no no man you were actually on point...i've joined the discord so we can discuss more there :D
thank you very much!
@@lamecreations_guidesdid you ever make this video?
whats the major difference between calling data via from datamodel and tstats?
tstats is a method of looking across the "tsidx" data, which is the accelerated data. The data model is just a way of pulling out data to be accelerated. So they work hand in hand. data models can be accelerated or not acclerated and you can search a datamodel using tstats. if the data model is accelerated, the tstats query will be fast, if it is not acclerated, a tstats query will still run but it won't gain any speed benefits. Hope this helps. Data models are a way of exposing _raw fields to the tstats queries.
I so appreciate your instruction! As a newcomer to Splunk AND cybersecurity, these videos are a wealth of real-world insight! Thank you!!!
Awesome, thank you!