Skip to main content
Solved

UDM search

  • March 8, 2024
  • 2 replies
  • 47 views
mountaincode2
Forum|alt.badge.img+8

I am looking at the following blog:

https://chronicle.security/blog/posts/new-to-chronicle-a-new-view-for-search/

 

In this it says:

The number on the right side of the panel represents the total events that contain a value for that field and the number in parenthesis next is the count of distinct values.

Does the number in parenthesis indicate the count of events that contain a distinct value? And if yes, what does it essentially mean. Can you provide an example to provide an understanding.

Thanks!

Best answer by jstoner

Here is a view of that side panel from a recent search. Notice it has been renamed to aggregations in the current UI. Below are the fields metadata.product_name and metadata.event_type. In our result set, we have 143 events and each of these fields has a value in every event, so the value on the far right is 143. Within the parenthesis, we can see that there are 5 distinct values for product name and 4 for event_type.

When I expand the field, I see the 5 values for metadata.product_name and the 4 details for metadata.event_type within. In this case Office 365 is one of those 5 distinct values and 11 events are of that product_name and 19 of the 143 event_types is USER_LOGIN.

As I mentioned eariler, not all events will have a field populated. Here we have the target.application field which is only populated in 24 of the 143 events in our search. Of those 24 events, there are 7 distinct applications and the AzureActiveDirectory value is seen 10 times of the 24 times that field is populated.

Hope that helps!

 

2 replies

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • Answer
  • March 11, 2024

Here is a view of that side panel from a recent search. Notice it has been renamed to aggregations in the current UI. Below are the fields metadata.product_name and metadata.event_type. In our result set, we have 143 events and each of these fields has a value in every event, so the value on the far right is 143. Within the parenthesis, we can see that there are 5 distinct values for product name and 4 for event_type.

When I expand the field, I see the 5 values for metadata.product_name and the 4 details for metadata.event_type within. In this case Office 365 is one of those 5 distinct values and 11 events are of that product_name and 19 of the 143 event_types is USER_LOGIN.

As I mentioned eariler, not all events will have a field populated. Here we have the target.application field which is only populated in 24 of the 143 events in our search. Of those 24 events, there are 7 distinct applications and the AzureActiveDirectory value is seen 10 times of the 24 times that field is populated.

Hope that helps!

 

Ray_a
David-French
mountaincode2
mountaincode2
Forum|alt.badge.img+8
  • mountaincode2Silver 2
  • Author
  • Silver 2
  • March 13, 2024

Here is a view of that side panel from a recent search. Notice it has been renamed to aggregations in the current UI. Below are the fields metadata.product_name and metadata.event_type. In our result set, we have 143 events and each of these fields has a value in every event, so the value on the far right is 143. Within the parenthesis, we can see that there are 5 distinct values for product name and 4 for event_type.

When I expand the field, I see the 5 values for metadata.product_name and the 4 details for metadata.event_type within. In this case Office 365 is one of those 5 distinct values and 11 events are of that product_name and 19 of the 143 event_types is USER_LOGIN.

As I mentioned eariler, not all events will have a field populated. Here we have the target.application field which is only populated in 24 of the 143 events in our search. Of those 24 events, there are 7 distinct applications and the AzureActiveDirectory value is seen 10 times of the 24 times that field is populated.

Hope that helps!

 


Thank you very for this explanation. It is very helpful.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.