Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Impossible number of occurrences being returned

Ara
New Member
‎01-18-2024 02:22 PM

Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied.

i.e.:

Input:

Ara_1-1705615939662.png

 

Desired Output:

displayNameresultcount
Policy1success1
Policy2failure1
Policy3notApplied1

 

However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query?

<my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result

 

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-23-2024 11:42 PM

(First off, please post sample data as text block, not screenshot.)  You should first convert JSON array Policy{} into multivalue of its JSON element before applying mvexpand.  spath is very useful here.  In 9.0, Splunk added a new command fromjson which is more convenient for your case.  The following uses fromjson:

 

| fromjson _raw
| mvexpand Policies
| fromjson Policies
| stats count by displayName result

 

Your mock data gives

displayNameresultcount
Policy1success1
Policy2failure1
Policy3notApplied1

This is an emulation of your mock data you can play with and compare with real data

 

| makeresults
| eval _raw = "{\"SigninId\": \"some-id\",
\"Policies\": [
{
\"id\": \"1234\",
\"displayName\": \"Policy1\",
\"result\": \"success\"
},
{
\"id\": \"4353\",
\"displayName\": \"Policy2\",
\"result\": \"failure\"
},
{
\"id\": \"0093\",
\"displayName\": \"Policy3\",
\"result\": \"notApplied\"
}
]"

 

 

Tags (2)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-18-2024 03:27 PM

Because each of those 2 fields has 3 values, you are effectively doing a 3x3 matrics stats, hence the results.

You will need to do something like this to join each of the policy bits of info together

| eval Policy=mvzip('Policies{}.displayName','Policies{}.result', "##")
| stats count by Policy

 and then finish it with

| eval Policy=split(Policy, "##")
| eval displayName=mvindex(Policy, 0), result=mvindex(Policy, 1)
| table displayName result count
0 Karma
Reply

Ara
New Member
‎01-23-2024 08:09 AM

Thanks! This looks to be returning the desired info and format. Though I noticed some Policies were missing counts for certain results. The number of different values possible for 'displayName' is showing less than is actually present in the event log. I think this may be an issue with Splunk itself and not the query though. 
Would you happen to know if it's possible for the number of values to have a max or limit in Splunk? 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...