spath for the JSON

sanjax90 · ‎05-12-2020

How can we use spath for below JSON to evaluate if for ConcurrentAsyncGetReportInstances , Remaining/Max*100 is >= 70%? Coul any one please help?

{
"AnalyticsExternalDataSizeMB":{
"Max":478600,
"Remaining":40960
},
"ConcurrentAsyncGetReportInstances":{
"Max":400,
"Remaining":200
},
"ConcurrentEinsteinDataInsightsStoryCreation":{
"Max":5,
"Remaining":5
},
"ConcurrentEinsteinDiscoveryStoryCreation":{
"Max":2,
"Remaining":2
},
"ConcurrentSyncReportRuns":{
"Max":20,
"Remaining":20
},
"DailyAnalyticsDataflowJobExecutions":{
"Max":60,
"Remaining":60
},
"DailyAnalyticsUploadedFilesSizeMB":{
"Max":51200,
"Remaining":51200
},

to4kawa · ‎05-12-2020

your search
| spath
| eval perc = ('ConcurrentAsyncGetReportInstances{}.Max' / 'ConcurrentAsyncGetReportInstances{}.Remaining' * 100)
| where perc >= 70

sanjax90 · ‎05-13-2020

This search query is running but there are no results. upon removing: | where perc >= 70 , i see the normal search result that i was getting earlier in the form of JSON and nothing new in the left panel(Selected Fields or Interesting Fields)

to4kawa · ‎05-13-2020

nothing new
your sample is wrong. These are multivalues, aren't you?

sanjax90 · ‎05-13-2020

the sample is correct and I achieved it via regular expressions : ConcurrentSyncReportRuns\':\s{\'Max':\s(?\d+)\,\s'Remaining':\s(?\d+),

to4kawa · ‎05-13-2020

If you use rex, what's problem?
use eval to calculate.

spath for the JSON

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

spath for the JSON

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard