Splunk Search

Using stats count by to query the number of policies?

soulmaker24
Engager

Hello,

I am trying to figured out how I could list a report by showing the total number of policies in my query. 

I have the sample Event below:

 

 

{ [-]
  auth : { [-]
    display_name: sample-name
    policies: [ [-]
      default
      admin
    ]
  }
  type: request
}

 

 

So, when I am using a search query below, I got a result of number of display_name.

type="request" | stats count by auth.display_name

However,  what I need is to show me the result count of the policies which in this case the default and admin. I am using the query below but it does not give me any result.

type="request" | stats count by auth.policies

Would someone be able to guide me what is the correct syntax to use to get the result I want?

Labels (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @soulmaker24 

The auth.policies{} field is array, so in this case, results in a multi value field.  For stats command to group by that field it needs to be a single value which can be done use the mvexpand command, like this...

 

type="request"
| mvexpand auth.policies{}
| stats count BY auth.policies{}

 

 Also, for next time, showing the event is really useful, it is more useful if you add it with syntax highlighting turned off - basically the _raw event.

Hope this helps

View solution in original post

0 Karma

yeahnah
Motivator

Hi @soulmaker24 

The auth.policies{} field is array, so in this case, results in a multi value field.  For stats command to group by that field it needs to be a single value which can be done use the mvexpand command, like this...

 

type="request"
| mvexpand auth.policies{}
| stats count BY auth.policies{}

 

 Also, for next time, showing the event is really useful, it is more useful if you add it with syntax highlighting turned off - basically the _raw event.

Hope this helps

0 Karma

soulmaker24
Engager

Thank you, I did realise I am missing the {} at the end. Appreciate your help on this one. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...