I feed my index with many totals and actual use values. Each of those fields are in the following event:
{ [-]
licenses: { [-]
compiler_em66: { [-]
totalLicenses: 70
usedLicenses: 39
},
compiler_am66: { [-]
totalLicenses: 30
usedLicenses: 19
}
}
serverURL: port@server.com
}
As raw text event, example 1:
{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"39"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"19"}}}
As raw text event, example 2:
{"serverURL":"port@server.com", "licenses":{"compiler_em66":{"totalLicenses":"70", "usedLicenses":"35"},"compiler_am66":{"totalLicenses":"30", "usedLicenses":"12"}}}
What I want to do is to have a result showing a tab with for each:
"licenseName":"max(usedLicenses),totalLicenses"
With current example:
"compiler_em66":"39,70"
"compiler_am66":"19,30"
Would that be possible and how?
Pretty new to the Splunk search language
... View more