Hello everyone
i've just looking into content management correlation searches' code and I couldn't understand some parts of it!
these are my questions:
what is the difference between tstats and 'tsats'
why do they put some entities into $?
for example:
| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$
the code above is for "Entity Investigator Search".
and the last question, for now, is what is the meaning of "drop_dm_object_name"??
I surf the net but I couldn't find the best answer or any answers for my questions!
Thank YOU
... View more