Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare fields with similar names

adrien_dereumau
Path Finder
‎08-23-2019 06:33 AM

I feed my index with many totals and actual use values. Each of those fields are in the following event:

{   [-] 
   licenses: {  [-] 
     compiler_em66: {   [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     },
   compiler_am66: { [-] 
       totalLicenses: 30    
       usedLicenses: 19 
     }  
   }    
   serverURL: port@server.com   
}

As raw text event, example 1:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"39"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"19"}}}

As raw text event, example 2:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"35"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"12"}}}

What I want to do is to have a result showing a tab with for each:

"licenseName":"max(usedLicenses),totalLicenses"

With current example:
"compiler_em66":"39,70"
"compiler_am66":"19,30"

Would that be possible and how?
Pretty new to the Splunk search language

0 Karma
Reply

Sukisen1981
Champion
‎08-23-2019 02:34 PM

hi @adrien_dereumaux

assuming your _raw events are exactly as you describe, with quotes, try this:

| rex field=_raw "(?<raw>.*?)\s+" max_match=0
| table raw
| mvexpand raw
| rex field=raw "actualValue\"+\=+\"(?<actual>.*?)\"" max_match=0 
| rex field=raw "maximum\"+\=+\"(?<max>.*?)\"" max_match=0 
| rex field=raw "randomName(?<name>.*?)\." max_match=0
| stats max(actual) as actual,max(max) as max by name
| eval tab="\""+"randomName"+name+"\""+":"+"\""+actual+","+max+"\""
| fields tab
0 Karma
Reply

Sukisen1981
Champion
‎08-26-2019 12:54 AM

hi @adrien_dereumaux

Please check the answer and accept it ,if it resolves your issue

0 Karma
Reply

adrien_dereumau
Path Finder
‎09-02-2019 04:58 AM

Hi @Sukisen1981 , sorry I was on hollidays.
Your answer seems perfect to me but I have struggles to implement it.
I tried not leaking informations on it but it seems that I should just give more informations on the data I have, the Event is the following:

{   [-] 
   licenses: {  [-] 
     compiler_em66: {   [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     },
   compiler_am66: { [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     }  
   }    
   serverURL: port@server.com   
}

As raw text:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"39"},"compiler_am66":{"totalLicenses":"70", "usedLicenses":"39"}}}

I still changed the server URL for obvious reasons. And we can have many kind of licenses names and I would like to compare each of them.

I don't really understand how the regex works in splunk, can you link me a good article for this one?

0 Karma
Reply

Sukisen1981
Champion
‎09-02-2019 05:25 AM

hi @adrien_dereumaux

It does not look my answer resolved your issue, please unaccept it, as it might lead other forum members to the wrong solution in the future.
What is the output you get when you try my regex?

0 Karma
Reply

adrien_dereumau
Path Finder
‎09-04-2019 01:52 AM

Hi @Sukisen1981 I simplified my input to stop bothering myself too much:

{   [-] 
   license: licenseName
   serverURL: port@server.com   
   total: 325   
   used: 29 
}

Or as a raw text is now:

{"serverURL":"port@server.com", "license":"qacpp-mbrw v4.4", "total":"325", "used":"29"}

I used your answer and modified it to get the expected result:

index=cc_esm3_monitoring
| stats max(total) as total, max(used) as used by license
| eval tab="\""+"license:"+license+"\""+":"+"\""+used+","+total+"\""
| fields tab

Which gives me the following results:

"license:licenseName1":"0,11"
"license:licenseName2":"3,11"
"license:licenseName3":"0,3"
"license:licenseName4":"1,11"

Thanks for your help!
Since I shifted from the original question, what should I do?

0 Karma
Reply

adrien_dereumau
Path Finder
‎09-02-2019 05:38 AM

I tried changing it as follow:

     | rex field=_raw "(?<raw>.*?)\s+" max_match=0
     | table raw
     | mvexpand raw
     | rex field=raw "usedLicenses\"+\=+\"(?<actual>.*?)\"" max_match=0 
     | rex field=raw "totalLicenses\"+\=+\"(?<max>.*?)\"" max_match=0 
     | rex field=raw "licenses(?<name>.*?)\." max_match=0
     | stats max(actual) as actual,max(max) as max by name
     | eval tab="\""+"licenseName"+name+"\""+":"+"\""+actual+","+max+"\""
     | fields tab

And I get the "No results found".
I'm sorry I should have given the real data from the beginning

0 Karma
Reply

adrien_dereumau
Path Finder
‎09-02-2019 05:39 AM

Updated the question with real data

0 Karma
Reply

somesoni2
Revered Legend
‎08-23-2019 07:33 AM

So there are multiple set of randonName<N>. fields in one single event?? And you want to show max(ActualValue) and Maximum for each of the <N> fields?

0 Karma
Reply

adrien_dereumau
Path Finder
‎08-23-2019 07:37 AM

I tried stats, it will become less good to see the data when I have many servers.
@somesoni2: I have actually 15 differents kinds of event and each of them has one to five randomName, adn you understood well what I would like to do

0 Karma
Reply

qbolbk59
Path Finder
‎08-23-2019 06:58 AM

Hi,

I think you can simply do a stats of the data. something like this:
| stats values() as custom_file_name by

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...