topic Re: Combining multiple field values for stats/charting in Splunk Search

Combining multiple field values for stats/charting

DATT — Wed, 03 Jul 2024 23:06:53 GMT

I have a field in my data named severity that can be one of five values: 1, 2, 3, 4, and 5.

I want to chart on the following: 1-3, 4, and 5. Anything with a severity value of 3 or lower can be lumped together, but severity 4 and 5 need to be charted separately.

The coalesce command is close but in my case the key is the same, it's the value that changes. None of the mv commands look like they do quite what I need, nor does nomv.

The workaround I've considered doing is an eval command with an if statement to say if the severity is 1, 2, or 3, set a new field value to 3, then chart off of this new field. It feels janky, but I think it would give me what I want.

Is it possible to do what I want in a more elegant manner?

Re: Combining multiple field values for stats/charting

yuanliu — Thu, 04 Jul 2024 03:25:30 GMT

What's wrong with setting value in the same field? Given this mock data

Severity
1
1
5
4
4
3
3
1
1
2
3
2
2

and this added to your search,

| eval Severity = if(Severity < 4, "lump", Severity)

You will get

Severity

lump

Is this what you are looking for? (By the way, to pose an answerable question, it is always good to post sample/mock data, desired output, and explain the logic between illustrated data and desired output.)

Play with this emulation and compare with real data

| makeresults format=csv data="Severity 1 1 5 4 4 3 3 1 1 2 3 2 2" ``` data emulation above ```

Re: Combining multiple field values for stats/charting

bowesmana — Thu, 04 Jul 2024 04:31:00 GMT

You can use rangemap simply

| makeresults count=100 | eval severity=random() % 5 + 1 | rangemap field=severity low=1-3 medium=4-4 high=5-5

Re: Combining multiple field values for stats/charting

DATT — Thu, 04 Jul 2024 05:06:35 GMT

It's probably my own paranoia but I try not to overwrite a data field like this in case I have to use the original data field for whatever reason. But functionally this would do what I need, I just didn't know if there was a more Splunk-y way to do it.

Re: Combining multiple field values for stats/charting

bowesmana — Thu, 04 Jul 2024 07:28:35 GMT

You can do it by overwriting the field, or just create a new field or use the rangemap, there are so many ways to do it - you can also use fieldformat, which will display a value, but retain the original - see this example how after the stats, the severity retains its numerical value and also the stats will still split by the different numerical values.