This is the query I have:
| tstats `summariesonly` count from datamodel=Threat_Intelligence.Threat_Activity where NOT [| `ppf_subsearch_dm("ppf_threat_activity","threat_match_field,threat_match_value",now(),"Threat_Activity")`] by Threat_Activity.threat_key | `drop_dm_object_name("Threat_Activity")` | `get_threat_attribution(threat_key)` | stats sum(count) as count by threat_category | sort 10 - count
I have a couple questions regarding it:
1) What is the datamodel=Threat_Intelligence.Threat_Activity part doing? If it was just (for example): datamodel=Threat_Intelligence, then it would be counting from the data model node that is named "Threat_Intelligence" (if I'm not mistaken). So what does the .Threat_Activity do to it?
2)Similar to the first question, what is the "by Threat_Activity.threat_key" part doing? I believe the "by" means that it's aggregating by the field "Threat_Activity.threat_key". Again, what is the .threat_key doing there?
3) What is the stats sum(count) as count by threat_category part doing? I've read through the stats page on the Splunk reference site but I'm still not 100% sure what stats sum does. I believe that the other part of that command is renaming what stats sum(count) did as count and aggregating by the field threat_category.
4)Regarding the NOT operator, does the NOT apply to all of: `ppf_subsearch_dm("ppf_threat_activity","threat_match_field,threat_match_value",now(),"Threat_Activity")` ? Also, what is the square bracket doing there and why does a pipe directly follow the NOT operator?
5) Does anyone have any idea of what any of the macros are doing? I don't have the macro definitions for them and I also don't have access to them. I'm pretty sure that the `summariesonly' one directly following tstats just sets tstats to true. But other than that, I'm lost.
If anyone could help me with all or any one of the questions I have, I would really appreciate it.
↧