Hello,
I am trying to figured out how I could list a report by showing the total number of policies in my query.
I have the sample Event below:
{ [-]
auth : { [-]
display_name: sample-name
policies: [ [-]
default
admin
]
}
type: request
}
So, when I am using a search query below, I got a result of number of display_name.
type="request" | stats count by auth.display_name
However, what I need is to show me the result count of the policies which in this case the default and admin. I am using the query below but it does not give me any result.
type="request" | stats count by auth.policies
Would someone be able to guide me what is the correct syntax to use to get the result I want?
... View more