topic Re: How to edit my rangemap search so that ranges will display as table columns? in Splunk Search

How to edit my rangemap search so that ranges will display as table columns?

cstarling — Tue, 29 Sep 2020 13:21:42 GMT

Hello! I am using Splunk to correlate packet statistics. In a log we have the following fields: sencore_iat and sencore_uncorrected_packets. Our goal is to map a sencore_iat range to the total amount of uncorrected packets per host. We are looking to make a table like below. Lets say iat_range1 is IAT zero to 1 and iat_range2 is IAT from 1 to 5

host | count(iat_in_range1) | total_uncorrected_packets_for_this_host_with_iat_range1 | count(iat_in_range2) | total_uncorrected_packets_for_this_host_with_iat_range2 .

Here is what I have so far:

myBaseSeach| 
rangemap field=sencore_iat "0 to 1"=0-1 "1 to 5"=1-5 default="other" | 
stats 
count(sencore_iat) as total_occurances_of_iat
sum(sencore_uncorrected_packets) as sum_of_all_uncorreted_packets
by range,  host

This search gives the correct data, however it is not how we want it displayed. This search gives us the iat ranges from the rangemap command in a row, and we are looking to have each iat range from the rangemap command as a column. I am wondering is this possible using the rangemap command?

Please let me know if the question is unclear, or if I should not even be using the rangemap command. Any help would be greatly appreciated!

Re: How to edit my rangemap search so that ranges will display as table columns?

woodcock — Mon, 27 Mar 2017 17:46:00 GMT

Simply change stats to chart and make it BY host range instead of BY range host.

Re: How to edit my rangemap search so that ranges will display as table columns?

DalJeanis — Mon, 27 Mar 2017 17:49:31 GMT

This makes random test data ...

| makeresults | eval host="a a a a a a a a b b b b b b b b c c c c c c c c c d d d d d" 
| makemv host 
| mvexpand host
| eval rand=random()%100

This maps the data , sorts the ranges to the desired order, produces the chart with columns as requested, then renames the columns to the desired names.

| rangemap field=rand rangeA=0-40 rangeB=41-80 default=rangeC 
| rename range as myrange 
| stats count as mycount sum(rand) as mysum by myrange host 
| chart sum(mysum) over host by myrange
| rename rangeA as "0 to 1", rangeB as "1 to 5", rangeC as "other"

Re: How to edit my rangemap search so that ranges will display as table columns?

cstarling — Mon, 27 Mar 2017 18:13:11 GMT

this works nicely. Is there a way to change the order of the columns that are spit out by the chart command?

Re: How to edit my rangemap search so that ranges will display as table columns?

cstarling — Mon, 27 Mar 2017 18:19:32 GMT

I got it with a simple table command. Thanks for your help!

Re: How to edit my rangemap search so that ranges will display as table columns?

cstarling — Mon, 27 Mar 2017 18:20:24 GMT

This also works nicely. I accepted the other answer simply because it was 3 mins quicker 🙂

Re: How to edit my rangemap search so that ranges will display as table columns?

DalJeanis — Tue, 28 Mar 2017 14:00:35 GMT

Heh. Serves me right for testing my code. 😉

It's no big deal which one gets accepted or upvoted, just so you got what you needed.