I'm working to transition a traditional search to utilize accelerated datamodels my environment has available. My original search is below: (index=firewall sourcetype="vpn-resource" (event_id="authentication") status=success) OR (index=webapp outcome.result=SUCCESS eventType=user.authentication.sso) OR (index=mfa sourcetype=mfa:authentication result=SUCCESS) | fields type user src_ip targetAppDisplayName ip integration username index | eval user=coalesce(user, username) | eval "Resource Accessed"=coalesce(type, integration, targetAppDisplayName) | eval src_ip=coalesce(ip, src_ip) | iplocation allfields=true src_ip | search City!="" | eval cur_t=_time | streamstats current=t window=5 first(lat) as prev_lat first(lon) as prev_lon first(cur_t) as prev_t first(src_ip) as IP2 first(City) as City2 first(Country) as Country2 first("Resource Accessed") as prev_r first(index) as prev_i by user | rename src_ip as IP1 City as City1 Country as Country1 "Resource Accessed" as first_r index as first_i | eval time_diff=cur_t - prev_t | distance outputField=distance inputFieldLat1=lat inputFieldLat2=prev_lat inputFieldLon1=lon inputFieldLon2=prev_lon My version utilizing tstats follows, however in the tstats command I appear to run into issues with the distance command, as both lat/lon and prev_lat/prev_lon are working from a per event versus a per user basis. | tstats summariesonly=true prestats=t count fillnull_value=NULL from datamodel=firewall_dm where (log.event_id=gateway-auth) AND log.action=success by sourcetype _time log.action log.src_ip log.user | tstats summariesonly=true append=t prestats=t count fillnull_value=NULL from datamodel=Authentication where (sourcetype=mfa:authentication OR sourcetype=webappIM2:log) AND Authentication.action=success by sourcetype _time Authentication.action Authentication.src Authentication.user Authentication.app | rename log.* as *, Authentication.* as * | eval src_ip=coalesce(src, src_ip) | eval "Resource Accessed"=if(match(sourcetype, "vpn-resource"), "VPN", app) | iplocation allfields=true src_ip | search City!="" | eval cur_t=_time | streamstats current=t window=5 first(lat) as prev_lat first(lon) as prev_lon first(cur_t) as prev_t first(src_ip) as IP2 first(City) as City2 first(Country) as Country2 first("Resource Accessed") as prev_r first(index) as prev_i by user | rename src_ip as IP1 City as City1 Country as Country1 "Resource Accessed" as first_r index as first_i | eval time_diff=cur_t - prev_t | distance outputField=distance inputFieldLat1=lat inputFieldLat2=prev_lat inputFieldLon1=lon inputFieldLon2=prev_lon Based on the input data from both base searches being the same (lines , I would expect the outcome to match, however I believe my use of prestats to be somewhat limiting my ability to manipulate the data downstream?
... View more