Splunk Search

Using stats count by to query the number of policies?

soulmaker24
Engager

Hello,

I am trying to figured out how I could list a report by showing the total number of policies in my query. 

I have the sample Event below:

 

 

{ [-]
  auth : { [-]
    display_name: sample-name
    policies: [ [-]
      default
      admin
    ]
  }
  type: request
}

 

 

So, when I am using a search query below, I got a result of number of display_name.

type="request" | stats count by auth.display_name

However,  what I need is to show me the result count of the policies which in this case the default and admin. I am using the query below but it does not give me any result.

type="request" | stats count by auth.policies

Would someone be able to guide me what is the correct syntax to use to get the result I want?

Labels (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @soulmaker24 

The auth.policies{} field is array, so in this case, results in a multi value field.  For stats command to group by that field it needs to be a single value which can be done use the mvexpand command, like this...

 

type="request"
| mvexpand auth.policies{}
| stats count BY auth.policies{}

 

 Also, for next time, showing the event is really useful, it is more useful if you add it with syntax highlighting turned off - basically the _raw event.

Hope this helps

View solution in original post

0 Karma

yeahnah
Motivator

Hi @soulmaker24 

The auth.policies{} field is array, so in this case, results in a multi value field.  For stats command to group by that field it needs to be a single value which can be done use the mvexpand command, like this...

 

type="request"
| mvexpand auth.policies{}
| stats count BY auth.policies{}

 

 Also, for next time, showing the event is really useful, it is more useful if you add it with syntax highlighting turned off - basically the _raw event.

Hope this helps

0 Karma

soulmaker24
Engager

Thank you, I did realise I am missing the {} at the end. Appreciate your help on this one. 

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...