Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Impossible number of occurrences being returned

Ara
New Member
‎01-18-2024 02:22 PM

Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied.

i.e.:

Input:

Ara_1-1705615939662.png

 

Desired Output:

displayNameresultcount
Policy1success1
Policy2failure1
Policy3notApplied1

 

However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query?

<my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result

 

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-23-2024 11:42 PM

(First off, please post sample data as text block, not screenshot.)  You should first convert JSON array Policy{} into multivalue of its JSON element before applying mvexpand.  spath is very useful here.  In 9.0, Splunk added a new command fromjson which is more convenient for your case.  The following uses fromjson:

 

| fromjson _raw
| mvexpand Policies
| fromjson Policies
| stats count by displayName result

 

Your mock data gives

displayNameresultcount
Policy1success1
Policy2failure1
Policy3notApplied1

This is an emulation of your mock data you can play with and compare with real data

 

| makeresults
| eval _raw = "{\"SigninId\": \"some-id\",
\"Policies\": [
{
\"id\": \"1234\",
\"displayName\": \"Policy1\",
\"result\": \"success\"
},
{
\"id\": \"4353\",
\"displayName\": \"Policy2\",
\"result\": \"failure\"
},
{
\"id\": \"0093\",
\"displayName\": \"Policy3\",
\"result\": \"notApplied\"
}
]"

 

 

Tags (2)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-18-2024 03:27 PM

Because each of those 2 fields has 3 values, you are effectively doing a 3x3 matrics stats, hence the results.

You will need to do something like this to join each of the policy bits of info together

| eval Policy=mvzip('Policies{}.displayName','Policies{}.result', "##")
| stats count by Policy

 and then finish it with

| eval Policy=split(Policy, "##")
| eval displayName=mvindex(Policy, 0), result=mvindex(Policy, 1)
| table displayName result count
0 Karma
Reply

Ara
New Member
‎01-23-2024 08:09 AM

Thanks! This looks to be returning the desired info and format. Though I noticed some Policies were missing counts for certain results. The number of different values possible for 'displayName' is showing less than is actually present in the event log. I think this may be an issue with Splunk itself and not the query though. 
Would you happen to know if it's possible for the number of values to have a max or limit in Splunk? 

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...