Archive
Highlighted

Compare fields with similar names

Path Finder

I feed my index with many totals and actual use values. Each of those fields are in the following event:

{   [-] 
   licenses: {  [-] 
     compiler_em66: {   [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     },
   compiler_am66: { [-] 
       totalLicenses: 30    
       usedLicenses: 19 
     }  
   }    
   serverURL: port@server.com   
}   

As raw text event, example 1:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"39"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"19"}}}

As raw text event, example 2:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"35"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"12"}}}

What I want to do is to have a result showing a tab with for each:

"licenseName":"max(usedLicenses),totalLicenses"

With current example:
"compilerem66":"39,70"
"compiler
am66":"19,30"

Would that be possible and how?
Pretty new to the Splunk search language

0 Karma
Highlighted

Re: Compare fields with similar names

Path Finder

Hi,

I think you can simply do a stats of the data. something like this:
| stats values() as customfilename by

0 Karma
Highlighted

Re: Compare fields with similar names

SplunkTrust
SplunkTrust

So there are multiple set of randonName<N>. fields in one single event?? And you want to show max(ActualValue) and Maximum for each of the <N> fields?

0 Karma
Highlighted

Re: Compare fields with similar names

Path Finder

I tried stats, it will become less good to see the data when I have many servers.
@somesoni2: I have actually 15 differents kinds of event and each of them has one to five randomName, adn you understood well what I would like to do

0 Karma
Highlighted

Re: Compare fields with similar names

Champion

hi @adrien_dereumaux

assuming your _raw events are exactly as you describe, with quotes, try this:

| rex field=_raw "(?<raw>.*?)\s+" max_match=0
| table raw
| mvexpand raw
| rex field=raw "actualValue\"+\=+\"(?<actual>.*?)\"" max_match=0 
| rex field=raw "maximum\"+\=+\"(?<max>.*?)\"" max_match=0 
| rex field=raw "randomName(?<name>.*?)\." max_match=0
| stats max(actual) as actual,max(max) as max by name
| eval tab="\""+"randomName"+name+"\""+":"+"\""+actual+","+max+"\""
| fields tab
0 Karma
Highlighted

Re: Compare fields with similar names

Champion

hi @adrien_dereumaux

Please check the answer and accept it ,if it resolves your issue

0 Karma
Highlighted

Re: Compare fields with similar names

Path Finder

Hi @Sukisen1981 , sorry I was on hollidays.
Your answer seems perfect to me but I have struggles to implement it.
I tried not leaking informations on it but it seems that I should just give more informations on the data I have, the Event is the following:

{   [-] 
   licenses: {  [-] 
     compiler_em66: {   [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     },
   compiler_am66: { [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     }  
   }    
   serverURL: port@server.com   
}   

As raw text:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"39"},"compiler_am66":{"totalLicenses":"70", "usedLicenses":"39"}}}

I still changed the server URL for obvious reasons. And we can have many kind of licenses names and I would like to compare each of them.

I don't really understand how the regex works in splunk, can you link me a good article for this one?

0 Karma
Highlighted

Re: Compare fields with similar names

Champion

hi @adrien_dereumaux

It does not look my answer resolved your issue, please unaccept it, as it might lead other forum members to the wrong solution in the future.
What is the output you get when you try my regex?

0 Karma
Highlighted

Re: Compare fields with similar names

Path Finder

I tried changing it as follow:

     | rex field=_raw "(?<raw>.*?)\s+" max_match=0
     | table raw
     | mvexpand raw
     | rex field=raw "usedLicenses\"+\=+\"(?<actual>.*?)\"" max_match=0 
     | rex field=raw "totalLicenses\"+\=+\"(?<max>.*?)\"" max_match=0 
     | rex field=raw "licenses(?<name>.*?)\." max_match=0
     | stats max(actual) as actual,max(max) as max by name
     | eval tab="\""+"licenseName"+name+"\""+":"+"\""+actual+","+max+"\""
     | fields tab

And I get the "No results found".
I'm sorry I should have given the real data from the beginning

0 Karma
Highlighted

Re: Compare fields with similar names

Path Finder

Updated the question with real data

0 Karma