rezamt · June 19, 2025 03:44
diff --git a/splunk.spl b/splunk.spl
 | eval policy_result_pairs=mvzip('properties.appliedConditionalAccessPolicies{}.displayName', 'properties.appliedConditionalAccessPolicies{}.result', ":")
 | mvexpand policy_result_pairs
 | rex field=policy_result_pairs "^(?<policy_name>[^:]+):(?<policy_result>.+)$"
 | search (policy_name="policy1" OR policy_name="policy2") AND policy_result="failure"
	\| eval policy_result_pairs=mvzip('properties.appliedConditionalAccessPolicies{}.displayName', 'properties.appliedConditionalAccessPolicies{}.result', ":")
	\| mvexpand policy_result_pairs
	\| rex field=policy_result_pairs "^(?<policy_name>[^:]+):(?<policy_result>.+)$"
	\| search (policy_name="policy1" OR policy_name="policy2") AND policy_result="failure"