Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using stats count by to query the number of policies?

soulmaker24
Engager
‎05-16-2023 01:10 PM

Hello,

I am trying to figured out how I could list a report by showing the total number of policies in my query. 

I have the sample Event below:

 

 

{ [-]
  auth : { [-]
    display_name: sample-name
    policies: [ [-]
      default
      admin
    ]
  }
  type: request
}

 

 

So, when I am using a search query below, I got a result of number of display_name.

type="request" | stats count by auth.display_name

However,  what I need is to show me the result count of the policies which in this case the default and admin. I am using the query below but it does not give me any result.

type="request" | stats count by auth.policies

Would someone be able to guide me what is the correct syntax to use to get the result I want?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-16-2023 05:40 PM

Hi @soulmaker24 

The auth.policies{} field is array, so in this case, results in a multi value field.  For stats command to group by that field it needs to be a single value which can be done use the mvexpand command, like this...

 

type="request"
| mvexpand auth.policies{}
| stats count BY auth.policies{}

 

 Also, for next time, showing the event is really useful, it is more useful if you add it with syntax highlighting turned off - basically the _raw event.

Hope this helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-16-2023 05:40 PM

Hi @soulmaker24 

The auth.policies{} field is array, so in this case, results in a multi value field.  For stats command to group by that field it needs to be a single value which can be done use the mvexpand command, like this...

 

type="request"
| mvexpand auth.policies{}
| stats count BY auth.policies{}

 

 Also, for next time, showing the event is really useful, it is more useful if you add it with syntax highlighting turned off - basically the _raw event.

Hope this helps

0 Karma
Reply
Solved! Jump to solution

soulmaker24
Engager
‎05-16-2023 06:20 PM

Thank you, I did realise I am missing the {} at the end. Appreciate your help on this one. 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...