<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: spath for the JSON in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493896#M84374</link>
    <description>&lt;P&gt;If you use &lt;CODE&gt;rex&lt;/CODE&gt;, what's problem? &lt;BR /&gt;
use &lt;CODE&gt;eval&lt;/CODE&gt; to calculate.&lt;/P&gt;</description>
    <pubDate>Wed, 13 May 2020 10:17:24 GMT</pubDate>
    <dc:creator>to4kawa</dc:creator>
    <dc:date>2020-05-13T10:17:24Z</dc:date>
    <item>
      <title>spath for the JSON</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493891#M84369</link>
      <description>&lt;P&gt;&lt;STRONG&gt;How can we use spath for below JSON to evaluate if for ConcurrentAsyncGetReportInstances , Remaining/Max*100 is &amp;gt;= 70%? Coul any one please help?&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;{&lt;BR /&gt;
   "AnalyticsExternalDataSizeMB":{&lt;BR /&gt;
      "Max":478600,&lt;BR /&gt;
      "Remaining":40960&lt;BR /&gt;
   },&lt;BR /&gt;
   "ConcurrentAsyncGetReportInstances":{&lt;BR /&gt;
      "Max":400,&lt;BR /&gt;
      "Remaining":200&lt;BR /&gt;
   },&lt;BR /&gt;
   "ConcurrentEinsteinDataInsightsStoryCreation":{&lt;BR /&gt;
      "Max":5,&lt;BR /&gt;
      "Remaining":5&lt;BR /&gt;
   },&lt;BR /&gt;
   "ConcurrentEinsteinDiscoveryStoryCreation":{&lt;BR /&gt;
      "Max":2,&lt;BR /&gt;
      "Remaining":2&lt;BR /&gt;
   },&lt;BR /&gt;
   "ConcurrentSyncReportRuns":{&lt;BR /&gt;
      "Max":20,&lt;BR /&gt;
      "Remaining":20&lt;BR /&gt;
   },&lt;BR /&gt;
   "DailyAnalyticsDataflowJobExecutions":{&lt;BR /&gt;
      "Max":60,&lt;BR /&gt;
      "Remaining":60&lt;BR /&gt;
   },&lt;BR /&gt;
   "DailyAnalyticsUploadedFilesSizeMB":{&lt;BR /&gt;
      "Max":51200,&lt;BR /&gt;
      "Remaining":51200&lt;BR /&gt;
   },&lt;/P&gt;</description>
      <pubDate>Tue, 12 May 2020 14:11:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493891#M84369</guid>
      <dc:creator>sanjax90</dc:creator>
      <dc:date>2020-05-12T14:11:27Z</dc:date>
    </item>
    <item>
      <title>Re: spath for the JSON</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493892#M84370</link>
      <description>&lt;PRE&gt;&lt;CODE&gt;your search
| spath
| eval perc = ('ConcurrentAsyncGetReportInstances{}.Max' / 'ConcurrentAsyncGetReportInstances{}.Remaining' * 100)
| where perc &amp;gt;= 70
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 12 May 2020 21:49:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493892#M84370</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-05-12T21:49:42Z</dc:date>
    </item>
    <item>
      <title>Re: spath for the JSON</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493893#M84371</link>
      <description>&lt;P&gt;This search query is running but there are no results. upon removing: &lt;STRONG&gt;| where perc &amp;gt;= 70&lt;/STRONG&gt; , i see the normal search result that i was getting earlier in the form of JSON and nothing new in the left panel(Selected Fields or Interesting Fields)&lt;/P&gt;</description>
      <pubDate>Wed, 13 May 2020 07:09:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493893#M84371</guid>
      <dc:creator>sanjax90</dc:creator>
      <dc:date>2020-05-13T07:09:29Z</dc:date>
    </item>
    <item>
      <title>Re: spath for the JSON</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493894#M84372</link>
      <description>&lt;P&gt;&lt;CODE&gt;nothing new&lt;/CODE&gt;&lt;BR /&gt;
your sample is wrong. These are multivalues, aren't you?&lt;/P&gt;</description>
      <pubDate>Wed, 13 May 2020 08:51:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493894#M84372</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-05-13T08:51:49Z</dc:date>
    </item>
    <item>
      <title>Re: spath for the JSON</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493895#M84373</link>
      <description>&lt;P&gt;the sample is correct and I achieved it via regular expressions : ConcurrentSyncReportRuns\':\s{\'Max':\s(?\d+)\,\s'Remaining':\s(?\d+),&lt;/P&gt;</description>
      <pubDate>Wed, 13 May 2020 09:50:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493895#M84373</guid>
      <dc:creator>sanjax90</dc:creator>
      <dc:date>2020-05-13T09:50:39Z</dc:date>
    </item>
    <item>
      <title>Re: spath for the JSON</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493896#M84374</link>
      <description>&lt;P&gt;If you use &lt;CODE&gt;rex&lt;/CODE&gt;, what's problem? &lt;BR /&gt;
use &lt;CODE&gt;eval&lt;/CODE&gt; to calculate.&lt;/P&gt;</description>
      <pubDate>Wed, 13 May 2020 10:17:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/spath-for-the-JSON/m-p/493896#M84374</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-05-13T10:17:24Z</dc:date>
    </item>
  </channel>
</rss>

