If you're not using tstats and data models (with acceleration), you don't understand how to use Splunk at scale. Excellent video as usual sir. I'd also recommend people look at these Spunk .conf presentations for more inspiration on this topic. conf.splunk.com/watch/conf-online.html?search=tstats#/ It's so important to know how to use this for reports and dashboards if you want them to work super fast. Splunk Enterprise Security wouldn't exist without these features.
Very good tutorial. One question regarding acceleration: what is the recommended summary range? You chose 7 days in your example, but what are the advantages/disadvantages of choosing a different range?
It purely depends on the date range you are going to use in your pivot report. For example, if you have a data model that accelerates the last month of data but you create a pivot using one of this data model's dataset that runs over the past year, the pivot will initially only get acceleration benefits for the portion of the search that runs over the past month. if you use bigger range it will take more space and building the summary will also take time.
Hi Debashis, Please refer the below link and see if this is helpful,. answers.splunk.com/answers/232663/how-to-create-a-data-model-from-a-subset-of-all-tr.html
The first step is to see the job output.. There you will see the details about which command is taking more time...also you should see the converted query. I will try to create content for this.
How do you run a tstats query against the Threat Intelligence Datamodel? Example: | tstats summariesonly=true count from datamodel=“Threat_Intelligence.Threat_Activity” where nodename=“Threat_Activity.IP_Intelligence” by IP_Intelligence.threat_key
@@splunk_ml The search SPL I listed above doesn't work since the file structure for the Threat Intelligence Datamodel only "Events" and "Searches" so when I attempt to run a stats command for IP_Intelligence to list city, postal code, country it doesn't work. No errors, just no return data even though the pivot shows data is present.
Thank you sir! The way you teach, in these videos, every concept looks very simple...Keep sharing your knowledge!
You are a brilliant guy Sir....Good explanation
Thanks for the tutorial! Really helpful. Brilliant channel! Looking forward to more of your videos.
If you're not using tstats and data models (with acceleration), you don't understand how to use Splunk at scale.
Excellent video as usual sir.
I'd also recommend people look at these Spunk .conf presentations for more inspiration on this topic. conf.splunk.com/watch/conf-online.html?search=tstats#/
It's so important to know how to use this for reports and dashboards if you want them to work super fast.
Splunk Enterprise Security wouldn't exist without these features.
Thank you for sharing the splunk conf link... Its an excellent read.
superb
Very good tutorial. One question regarding acceleration: what is the recommended summary range? You chose 7 days in your example, but what are the advantages/disadvantages of choosing a different range?
It purely depends on the date range you are going to use in your pivot report. For example, if you have a data model that accelerates the last month of data but you create a pivot using one of this data model's dataset that runs over the past year, the pivot will initially only get acceleration benefits for the portion of the search that runs over the past month.
if you use bigger range it will take more space and building the summary will also take time.
Thank you so much for the videos!!!
Nice video ..Where exactly the summary index data has been stored ?. Is it on indexers or SH ?.
Summary index is just like other indexes, only difference is how data are stored over there, so indexers.
too good, cant thank you enough
fyi - walklex is available in SplunkWeb.
Could you please help, how to add the "|transaction keepvicted=true by sessionId" in DataModel ?
Hi Debashis,
Please refer the below link and see if this is helpful,.
answers.splunk.com/answers/232663/how-to-create-a-data-model-from-a-subset-of-all-tr.html
Sir I can you please tell how to upload that .emmx file like what source type we should use?. It will be very helpful for me
That is the mindmap I used for the video, you can ignore that file.
@@splunk_ml Thank You Very Much Sir
Bro how to optimize a splunk query?
The first step is to see the job output.. There you will see the details about which command is taking more time...also you should see the converted query. I will try to create content for this.
Could you make an video on rest api call please. Thanks in advance
I created some... Please have a look at the advanced searching and reporting playlist.
How do you run a tstats query against the Threat Intelligence Datamodel?
Example:
| tstats summariesonly=true count
from datamodel=“Threat_Intelligence.Threat_Activity”
where nodename=“Threat_Activity.IP_Intelligence” by IP_Intelligence.threat_key
It would be the same way you use tstats for other data models. Any specific error you are getting for the SPL you have given?
@@splunk_ml
The search SPL I listed above doesn't work since the file structure for the Threat Intelligence Datamodel only "Events" and "Searches" so when I attempt to run a stats command for IP_Intelligence to list city, postal code, country it doesn't work. No errors, just no return data even though the pivot shows data is present.