Solved: How to remove top result or keyword from showing i...

soulmaker · ‎06-30-2024

Hi there, I have this query below to search the top policies that has been used.

type="request" "request.path"="prod/" | stats count by policies{} | sort  -count  | head 10

by default all the policies is being generated with "default" which I wanted to get rid of when searching so properly shows the top 10 policies only.

The search query above example results are:

policies:
default
policies_1
policies_2
policies_3
....

I wanted to get rid of the default showing on my result. Any idea or help is really appricated.

bowesmana · ‎06-30-2024

As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work

type="request" "request.path"="prod/" 
| stats count by policies{} 
| sort  -count  
| where 'policies{}' != "default"
| head 10

View solution in original post

bowesmana · ‎06-30-2024

As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work

type="request" "request.path"="prod/" 
| stats count by policies{} 
| sort  -count  
| where 'policies{}' != "default"
| head 10

soulmaker · ‎06-30-2024

Awesome, this works as well. Thanks again for your help on this one.

How to remove top result or keyword from showing in searh

chart

Classic dashboard

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk