Splunk Search

Compare fields with similar names

adrien_dereumau
Path Finder

I feed my index with many totals and actual use values. Each of those fields are in the following event:

{   [-] 
   licenses: {  [-] 
     compiler_em66: {   [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     },
   compiler_am66: { [-] 
       totalLicenses: 30    
       usedLicenses: 19 
     }  
   }    
   serverURL: port@server.com   
}   

As raw text event, example 1:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"39"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"19"}}}

As raw text event, example 2:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"35"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"12"}}}

What I want to do is to have a result showing a tab with for each:

"licenseName":"max(usedLicenses),totalLicenses"

With current example:
"compiler_em66":"39,70"
"compiler_am66":"19,30"

Would that be possible and how?
Pretty new to the Splunk search language

0 Karma

Sukisen1981
Champion

hi @adrien_dereumaux

assuming your _raw events are exactly as you describe, with quotes, try this:

| rex field=_raw "(?<raw>.*?)\s+" max_match=0
| table raw
| mvexpand raw
| rex field=raw "actualValue\"+\=+\"(?<actual>.*?)\"" max_match=0 
| rex field=raw "maximum\"+\=+\"(?<max>.*?)\"" max_match=0 
| rex field=raw "randomName(?<name>.*?)\." max_match=0
| stats max(actual) as actual,max(max) as max by name
| eval tab="\""+"randomName"+name+"\""+":"+"\""+actual+","+max+"\""
| fields tab
0 Karma

Sukisen1981
Champion

hi @adrien_dereumaux

Please check the answer and accept it ,if it resolves your issue

0 Karma

adrien_dereumau
Path Finder

Hi @Sukisen1981 , sorry I was on hollidays.
Your answer seems perfect to me but I have struggles to implement it.
I tried not leaking informations on it but it seems that I should just give more informations on the data I have, the Event is the following:

{   [-] 
   licenses: {  [-] 
     compiler_em66: {   [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     },
   compiler_am66: { [-] 
       totalLicenses: 70    
       usedLicenses: 39 
     }  
   }    
   serverURL: port@server.com   
}   

As raw text:

{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"39"},"compiler_am66":{"totalLicenses":"70", "usedLicenses":"39"}}}

I still changed the server URL for obvious reasons. And we can have many kind of licenses names and I would like to compare each of them.

I don't really understand how the regex works in splunk, can you link me a good article for this one?

0 Karma

Sukisen1981
Champion

hi @adrien_dereumaux

It does not look my answer resolved your issue, please unaccept it, as it might lead other forum members to the wrong solution in the future.
What is the output you get when you try my regex?

0 Karma

adrien_dereumau
Path Finder

Hi @Sukisen1981 I simplified my input to stop bothering myself too much:

{   [-] 
   license: licenseName
   serverURL: port@server.com   
   total: 325   
   used: 29 
}   

Or as a raw text is now:

{"serverURL":"port@server.com", "license":"qacpp-mbrw v4.4", "total":"325", "used":"29"}

I used your answer and modified it to get the expected result:

index=cc_esm3_monitoring
| stats max(total) as total, max(used) as used by license
| eval tab="\""+"license:"+license+"\""+":"+"\""+used+","+total+"\""
| fields tab

Which gives me the following results:

"license:licenseName1":"0,11"
"license:licenseName2":"3,11"
"license:licenseName3":"0,3"
"license:licenseName4":"1,11"

Thanks for your help!
Since I shifted from the original question, what should I do?

0 Karma

adrien_dereumau
Path Finder

I tried changing it as follow:

     | rex field=_raw "(?<raw>.*?)\s+" max_match=0
     | table raw
     | mvexpand raw
     | rex field=raw "usedLicenses\"+\=+\"(?<actual>.*?)\"" max_match=0 
     | rex field=raw "totalLicenses\"+\=+\"(?<max>.*?)\"" max_match=0 
     | rex field=raw "licenses(?<name>.*?)\." max_match=0
     | stats max(actual) as actual,max(max) as max by name
     | eval tab="\""+"licenseName"+name+"\""+":"+"\""+actual+","+max+"\""
     | fields tab

And I get the "No results found".
I'm sorry I should have given the real data from the beginning

0 Karma

adrien_dereumau
Path Finder

Updated the question with real data

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So there are multiple set of randonName<N>. fields in one single event?? And you want to show max(ActualValue) and Maximum for each of the <N> fields?

0 Karma

adrien_dereumau
Path Finder

I tried stats, it will become less good to see the data when I have many servers.
@somesoni2: I have actually 15 differents kinds of event and each of them has one to five randomName, adn you understood well what I would like to do

0 Karma

qbolbk59
Path Finder

Hi,

I think you can simply do a stats of the data. something like this:
| stats values() as custom_file_name by

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...