Splunk Search

How can I subtract three values from Json?

New Member

Hi!
I have a Json like this:
{"LicenseNum":62,
"Status":"Registered"}
and the Status can differ from three types: Registered, Disconnected and Dropped.
alt text

Based on this chart, I need to build a new one with the following mathematical equation: number of Registered - number of Disconnected - number of Dropped.
Could somebody please help me?
I've already tried to use the stats and eval function, but I probably did something really wrong.

Thank you in advance (:

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try adding this

... | eval Remaining = Registered - Disconnected - Dropped

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try adding this

... | eval Remaining = Registered - Disconnected - Dropped

View solution in original post

0 Karma

New Member

I've already tried it. I'm using the following query:

eval License=(Registered - Disconnected - Dropped) | chart max(LicenseNum) by DateTime, License

But I keep getting as result just "Registered - Disconnected"

0 Karma