Solved: How to remove top result or keyword from showing i...

soulmaker · ‎06-30-2024

Hi there, I have this query below to search the top policies that has been used.

type="request" "request.path"="prod/" | stats count by policies{} | sort  -count  | head 10

by default all the policies is being generated with "default" which I wanted to get rid of when searching so properly shows the top 10 policies only.

The search query above example results are:

policies:
default
policies_1
policies_2
policies_3
....

I wanted to get rid of the default showing on my result. Any idea or help is really appricated.

bowesmana · ‎06-30-2024

As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work

type="request" "request.path"="prod/" 
| stats count by policies{} 
| sort  -count  
| where 'policies{}' != "default"
| head 10

View solution in original post

bowesmana · ‎06-30-2024

As your policies JSON looks like it's an array, if you are saying that all events will have a 'default' policy as well as another policy, then this should work

type="request" "request.path"="prod/" 
| stats count by policies{} 
| sort  -count  
| where 'policies{}' != "default"
| head 10

soulmaker · ‎06-30-2024

Awesome, this works as well. Thanks again for your help on this one.

How to remove top result or keyword from showing in searh

chart

Classic dashboard

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation