I am trying to write a splunk search to pull what rules a particular user is hitting. This search is helping with that BUT everything is coming through as a urlrulelabel. When I move apprulelabel to ...
See more...
I am trying to write a splunk search to pull what rules a particular user is hitting. This search is helping with that BUT everything is coming through as a urlrulelabel. When I move apprulelabel to the start of the line, everything comes through as an apprulelabel. When I dive into the events, I see there are other rules showing, but they arent populating in the statistics table. I would like to have each rule come through as its own. index=zscaler sourcetype=zscalernss-web user=*
| eval rule_type=case(isnotnull(urlrulelabel), "urlurlelabel", isnotnull(apprulelabel), "apprulelabel", isnotnull(rulelabel), "rulelabel", true(), "unknown")
| eval rule=coalesce(apprulelabel, urlrulelabel, rulelabel)
| stats count by rule, rule_type
| rename rule as Rule, rule_type as "Type of Rule", count as "Hit Count"
| sort - "Hit Count"
Thank you in advance