I have events with an array field named "tags". The tags array has 2 fields for each array object named "name" and "type". I reference this array as tags{}.name.
The values being returned for one event are:
name, type
Dept_Finance, Custom
Asset_Workstation, Custom
My goal is to count the events by tags starting with "Dept_".
(index="index_name") | dedup id | stats count by tags{}.name
This returns the correct count of tags for "Dept_" but it's also including all other tags that do not begin with "Dept_". The Asset_Workstation tag is attached to this event however I don't want it to output in the query. How can I pull records with multiple tags but exclude all tags not beginning with "Dept_" from the output?
I know this is an easy thing to do but I'm still learning SPL. Thanks for your help.
Thanks for your reply. It returns multiple results because there's more than one tag in the array per event. "stats count by tags{}.name" returns 1 count for each tag.
os_system_name: Microsoft Windows
os_type: Workstation
os_vendor: Microsoft
os_version: 22H2
risk_score: 747.0674438476562
severe_vulnerabilities: 1
tags: [ [-]
{ [-]
name: Asset_Workstation
type: CUSTOM
}
{ [-]
name: Dept_Finance
type: SITE
}
]
total_vulnerabilities: 1
Results:
tags{}.name | count |
Asset_Workstation | 1 |
Dept_Finance | 1 |
I wasn't able to run eval or where operations on the tags{}.name without getting an error so I was stuck. I just stumbled on my answer but I appreciate your time looking at this. I knew it had to be a simple query but I wasn't initially able to put it together. Feel free to offer a better more efficient way to get the below results.
(index="index_name") | dedup id | stats count by tags{}.name | rename tags{}.name AS dept | where (dept like "Dept_%")
Results:
dept | count |
Dept_Finance | 1 |
Thanks for your reply. It returns multiple results because there's more than one tag in the array per event. "stats count by tags{}.name" returns 1 count for each tag.
os_system_name: Microsoft Windows
os_type: Workstation
os_vendor: Microsoft
os_version: 22H2
risk_score: 747.0674438476562
severe_vulnerabilities: 1
tags: [ [-]
{ [-]
name: Asset_Workstation
type: CUSTOM
}
{ [-]
name: Dept_Finance
type: SITE
}
]
total_vulnerabilities: 1
Results:
tags{}.name | count |
Asset_Workstation | 1 |
Dept_Finance | 1 |
I wasn't able to run eval or where operations on the tags{}.name without getting an error so I was stuck. I just stumbled on my answer but I appreciate your time looking at this. I knew it had to be a simple query but I wasn't initially able to put it together. Feel free to offer a better more efficient way to get the below results.
(index="index_name") | dedup id | stats count by tags{}.name | rename tags{}.name AS dept | where (dept like "Dept_%")
Results:
dept | count |
Dept_Finance | 1 |
This returns the correct count of tags for "Dept_" but it's also including all other tags that do not begin with "Dept_".
I don't understand this statement. Other than groupby field tags{}.name itself, | stats count by tags{}.name only gives one single output, that is count. How does it "include other tags", Dept_ or not?
You can help us by illustrating the results you want, and the results the search actually gives you. (Anonymize as needed.) Explain why the result is not what you expected.