For information on choosing a data model as a data source, see What data models are included in the Splunk Add-on for Common Information Model.

For information about choosing a lookup table as a data source, see Introduction to lookup configuration in the Knowledge Manager Manual and Create and manage lookups in Splunk Enterprise Security in Use Splunk Enterprise Security.

For information about aggregate functions, see the Splunk platform documentation.

• For Splunk Enterprise, see Use the stats command and functions in the Splunk Enterprise Search Manual.
• For Splunk Cloud Platform, see Use the stats command and functions in the Splunk Cloud Platform Search Manual.

For examples of time modifiers, see the Splunk platform documentation.

• For Splunk Enterprise, see Specify time modifiers in your search in the Splunk Enterprise Search Manual.
• For Splunk Cloud Platform, see Specify time modifiers in your search in the Splunk Cloud Platform Search Manual.

For information on real-time and continuous search scheduling, see the Splunk platform documentation.

• For Splunk Enterprise, see Real-time scheduling and continuous scheduling in the Splunk Enterprise Reporting Manual.
• For Splunk Cloud Platform, see Real-time scheduling and continuous scheduling in the Splunk Cloud Platform Reporting Manual.

For information on search schedule priority, see the Splunk platform documentation.

• For Splunk Enterprise, see Prioritize concurrently scheduled reports in Splunk Web in the Splunk Enterprise Reporting Manual.
• For Splunk Cloud Platform, see Prioritize concurrently scheduled reports in Splunk Web in the Splunk Cloud Platform Reporting Manual.

For information on trigger conditions and configuring those conditions for a search, see the Splunk platform documentation.

• For Splunk Enterprise, see Configure alert trigger conditions in the Splunk Enterprise Alerting Manual.
• For Splunk Cloud Platform, see Configure alert trigger conditions in the Splunk Cloud Platform Alerting Manual.

For details about how to make sure that additional fields appear in the notable event details, see Change notable event fields in Administer Splunk Enterprise Security.