Comparing value from two objects based on another ...

oleg1 · ‎11-13-2020

Hi Splunk experts,

My events have a timeline that tells me how long certain operations took. What I'm trying to determine is how frequently "item_B" has a longer duration than "item_C". The array is not guaranteed to have the same order every time so I need to access each object in the array by the "label" field.

Any suggestions?

timeline":[
   {
      "label":"item_A",
      "duration":1
   },
   {
      "label":"item_B",
      "duration":955,
   },
   {
      "label":"item_C",
      "duration":0,
   },
   {
      "label":"item_D",
      "duration":55,
   }
]

to4kawa · ‎11-13-2020

index=_internal | head 1 | fields _raw 
| eval _raw="{\"timeline\":[{\"label\":\"item_A\",\"duration\":1},{\"label\":\"item_B\",\"duration\":955},{\"label\":\"item_C\",\"duration\":0},{\"label\":\"item_D\",\"duration\":55}]}"
| spath timeline{} output=timeline
| mvexpand timeline
| spath input=timeline
| table label duration

please do the math on the rest.

Comparing value from two objects based on another field

count

eval

stats

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?