cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Ara
New Member
Member since: ‎01-18-2024
‎01-23-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-18-2024
Activity Feed
View All

Re: Impossible number of occurrences being returne...

by in Splunk Search
‎01-23-2024 08:09 AM
‎01-23-2024 08:09 AM
Thanks! This looks to be returning the desired info and format. Though I noticed some Policies were missing counts for certain results. The number of different values possible for 'displayName' is showing less than is actually present in the event log. I think this may be an issue with Splunk itself and not the query though.  Would you happen to know if it's possible for the number of values to have a max or limit in Splunk?  ... View more

Impossible number of occurrences being returned

by in Splunk Search
‎01-18-2024 02:22 PM
‎01-18-2024 02:22 PM
Given the sample event below representing a user sign-in, I am trying to create a table that shows each combination of a 'policy' and 'result' and the number of occurrences for that combination. There are only three possible result values for any given policy (success, failure, or notApplied). In essence, I need this table to find out how which policies are not being used by looking at the number of times it was not applied. i.e.: Input:   Desired Output: displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1   However, the query I currently have is returning a sum that isn't possible because the sum is exceeding the number of sign-in events. What is wrong with my query? <my_search> | stats count by Policies{}.displayName, ConditionalAccessPolicies{}.result   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-23-2024 05:47 PM