Skip to main content

I am looking at the following blog:

https://chronicle.security/blog/posts/new-to-chronicle-a-new-view-for-search/

 

In this it says:

The number on the right side of the panel represents the total events that contain a value for that field and the number in parenthesis next is the count of distinct values.

Does the number in parenthesis indicate the count of events that contain a distinct value? And if yes, what does it essentially mean. Can you provide an example to provide an understanding.

Thanks!

Here is a view of that side panel from a recent search. Notice it has been renamed to aggregations in the current UI. Below are the fields metadata.product_name and metadata.event_type. In our result set, we have 143 events and each of these fields has a value in every event, so the value on the far right is 143. Within the parenthesis, we can see that there are 5 distinct values for product name and 4 for event_type.


When I expand the field, I see the 5 values for metadata.product_name and the 4 details for metadata.event_type within. In this case Office 365 is one of those 5 distinct values and 11 events are of that product_name and 19 of the 143 event_types is USER_LOGIN.



As I mentioned eariler, not all events will have a field populated. Here we have the target.application field which is only populated in 24 of the 143 events in our search. Of those 24 events, there are 7 distinct applications and the AzureActiveDirectory value is seen 10 times of the 24 times that field is populated.



Hope that helps!


 

Here is a view of that side panel from a recent search. Notice it has been renamed to aggregations in the current UI. Below are the fields metadata.product_name and metadata.event_type. In our result set, we have 143 events and each of these fields has a value in every event, so the value on the far right is 143. Within the parenthesis, we can see that there are 5 distinct values for product name and 4 for event_type.


When I expand the field, I see the 5 values for metadata.product_name and the 4 details for metadata.event_type within. In this case Office 365 is one of those 5 distinct values and 11 events are of that product_name and 19 of the 143 event_types is USER_LOGIN.



As I mentioned eariler, not all events will have a field populated. Here we have the target.application field which is only populated in 24 of the 143 events in our search. Of those 24 events, there are 7 distinct applications and the AzureActiveDirectory value is seen 10 times of the 24 times that field is populated.



Hope that helps!


 


Thank you very for this explanation. It is very helpful.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.