I have the "Splunk Add-on for Unix and Linux", the "Splunk App for Unix and Linux", and "Linux Auditd" applications installed. When I bring up the "Linux Auditd" and look for data, there is a lot of nothing. The command starts with `| tstats count WHERE [|inputlookup auditd-indicies] ...`
Does `tstats` require some kind of data model? If so, is the an existing one to use?
Thanks.
↧