topic Re: How to deal with value ranges? in Deployment Architecture

How to deal with value ranges?

petersob — Fri, 18 Oct 2013 18:46:30 GMT

Hello Community,

have two simple questions about dealing with value ranges:

1) how to put ranges together?

I have log informations with ranges, e.g.:

from="1001" to="2000" type="aaa"
from="2001" to="4000" type="aaa"
from="4001" to="5000" type="aaa"
from="10000" to="20000" type="aaa"
from="20001" to="40000" type="BBB"

I would like to compress it to get something like that:

from="1001" to="5000" type="aaa"
from="10000" to="20000" type="aaa"
from="20001" to="40000" type="BBB"

that means, the first three events should be merged, because the range ist continous and they are of the same type. The forth is an nother range and 5th is another type.

Is there any simple way to go to get it solved?

2) based on the ranges mentioned above (in the events), is there any simple way, if I have a value, e.g. "1565" to identify what type is it?

Ragards,
Peter

Re: How to deal with value ranges?

kristian_kolb — Fri, 18 Oct 2013 19:26:01 GMT

It's a little bit unclear. Are these actual events? Then merging them would... I don't know. This seems better suited for a lookup function..or a case function in the search query or... or a rangemap... but all of those are specified outside the context of the event contents. A little background (and some full events) would be beneficial.

Re: How to deal with value ranges?

petersob — Fri, 18 Oct 2013 19:49:39 GMT

yes, they would be one line per event.
In fact I just want to create the log messages, what I have are just ranges of serial numbers (first and last, ok i wrote "from" and "to"). Only one range per event will be generated, because they occure at different time. Then, in later time (perhaps dayily or weekly) I have to evaluate the data as described: merging ranges together and making a report containing the used ranges of numbers.
I decided to use key="value" pairs for the fields because Splunk recognize them automatically without further field definitions.

Re: How to deal with value ranges?

petersob — Fri, 18 Oct 2013 19:49:57 GMT

...and the second point was, to use that range log events to find the right item type.
In fact it's not "type" but an identifier (don't care about the name), which I will use then for further search. That means, if something happens to the number "1565" I will like to make a simple search (maybe using a form input) and get the item type.

Re: How to deal with value ranges?

petersob — Fri, 18 Oct 2013 20:15:07 GMT

if i do something like that: "... | stats min(from) as first, max(to) as last by type" I will miss, that there is a gap between 5000 and 10000.

Re: How to deal with value ranges?

kristian_kolb — Fri, 18 Oct 2013 20:15:32 GMT

sorry, but I still don't get it. In my mind, the events that you create in your log would contain number=1234, and then you could search with a case or rangemap function. Or actually use the type information already in the events....

Re: How to deal with value ranges?

kristian_kolb — Fri, 18 Oct 2013 20:18:19 GMT

Do you want to - for a given timeframe - find what the actual ranges were.... hmm.. perhaps...

... | stats min(from) as Low max(to) as High by type | ...

is what you are looking for?

Re: How to deal with value ranges?

petersob — Fri, 18 Oct 2013 20:25:53 GMT

something like that, but this one doesn't care about the gap between 5000 and 10000.
There maybe a multiple gaps between the min and max, and I need to know all the gaps.
Thats the problem.

Re: How to deal with value ranges?

somesoni2 — Sat, 19 Oct 2013 14:18:50 GMT

Will these range values will always be in ascending order?

Re: How to deal with value ranges?

petersob — Sun, 20 Oct 2013 16:26:15 GMT

now I solved that by writing a custom search command.

Re: How to deal with value ranges?

Runals — Wed, 13 Nov 2013 12:34:54 GMT

... | eval type = case(from > 1000 AND to < 5000,"aaa",from > 10000 AND to < 20000,"aaa", from > 20001 AND to < 40000,"BBB", 1=1,"Other")

For the second part of your question that's what I'd lean toward at any rate. The 1=1 is so that if there are values that fall outside of your ranges that evaluates as true and you can see or alert yourself if "Other" shows up.

Re: How to deal with value ranges?

zomis — Wed, 13 Nov 2019 09:53:13 GMT

This doesn't provide any useful information at all. More details are needed.