About Ara

Ara · ‎01-23-2024

Thanks! This looks to be returning the desired info and format. Though I noticed some Policies were missing counts for certain results. The number of different values possible for 'displayName' is showing less than is actually present in the event log. I think this may be an issue with Splunk itself and not the query though. Would you happen to know if it's possible for the number of values to have a max or limit in Splunk?

Ara · ‎01-18-2024

Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied. i.e.: Input: Desired Output: displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1 However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query? <my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result

Ara · ‎09-03-2020

I have followed the steps to configure this but I'm not sure what I should expect to see in the Business Transactions. How can I tell that it's set up properly? I am seeing a new type of Business Transaction labeled "All Other Traffic - PingAccess" but when I go to expand it, the URL field is blank and only one node is listed (we have multiple PingAccess nodes).

Posts	3
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎01-18-2024

Online Status	Offline
Date Last Visited	‎01-23-2024 05:47 PM

Impossible number of occurrences being returned

Re: Impossible number of occurrences being returne...

Impossible number of occurrences being returned

Re: How do I detect and correlate Business Transac...