×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Ara
Engager
Member since: ‎01-18-2024
‎05-05-2025
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-18-2024
View All

Re: Trouble looping through table and performing a...

by in Splunk Search
‎05-05-2025 07:44 AM
‎05-05-2025 07:44 AM
Thank you for your response! This solution worked. I was not aware of the 10-result limit with map. ... View more

Trouble looping through table and performing a sub...

by in Splunk Search
‎05-01-2025 04:18 PM
‎05-01-2025 04:18 PM
I am trying to loop over a table and perform a subsearch for each item. I can confirm I am generating the first table with correct values. However the subsearch portion is not returning any results.  Can someone help me figure out where my query is wrong? Would be very much appreciated! index=xyz "someString" | rex field=msg "DEBUG\s+\|\s+(?<traceid>[a-f0-9-]{36})" | table traceid | map search="search index=xyz \"$traceid$\" AND \"REQUEST BODY\" | rex field=msg \"artifact_guid\":\"(?<artifact_guid>[a-f0-9-]{36})\" | rex field=msg \"email_address\":\"(?<email_address>[^\"]+)\" | table traceid, artifact_guid, email_address" ... View more
Labels

Re: Impossible number of occurrences being returne...

by in Splunk Search
‎01-23-2024 08:09 AM
‎01-23-2024 08:09 AM
Thanks! This looks to be returning the desired info and format. Though I noticed some Policies were missing counts for certain results. The number of different values possible for 'displayName' is showing less than is actually present in the event log. I think this may be an issue with Splunk itself and not the query though.  Would you happen to know if it's possible for the number of values to have a max or limit in Splunk?  ... View more

Impossible number of occurrences being returned

by in Splunk Search
‎01-18-2024 02:22 PM
‎01-18-2024 02:22 PM
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied. i.e.: Input:   Desired Output: displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1   However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query? <my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-05-2025 07:42 AM