I would like to restrict the tstats search below to a specific index. The search uses the IDS_Attacks datamodel in ES. Is this possible?
|`tstats` count from datamodel=Intrusion_Detection where * IDS_Attacks.ids_type=network IDS_Attacks.category=* IDS_Attacks.severity=* by _time,IDS_Attacks.severity span=10m | chart useother=`useother` count by IDS_Attacks.severity | `drop_dm_object_name("IDS_Attacks")`| sort -count
↧
Splunk App for Enterprise Security: Is it possible to restrict a tstats search to a specific index?
↧