Solved: Dashboard single and rangemap

preben12 · ‎11-16-2013

How can I make use of the rangemap when my search returns statis values like [OK or ERROR or WARN] and display a single value with a icon for each ERROR = server, OK = low and WARN = guarded.

Somehow I have to translate the ERROR ect. to a number to make use of rangemap i guess ?

The search = index=something | sort - _time
The search returns a status and a timestamp where only the resent value should count.

Normally the single value works like this :

<single>
        <searchString>| stats count as value | eval value = 550 | rangemap field=value none=0-99 low=100-199 guarded=200-299 elevated=300-399 high=400-499 severe=500-599 default=none</searchString>
        <earliestTime>-15m</earliestTime>
        <latestTime>now</latestTime>
        <option name="classField">range</option>
        <option name="field">value</option>
    </single>

ziegfried · ‎11-16-2013

You can use the eval command to translate values using the if() or case() functions. For example

index=something | sort - _time | eval range=case(status == "OK", "low", status == "WARN", "guarded", status == "ERROR", "severe")

View solution in original post

ziegfried · ‎11-16-2013

You can use the eval command to translate values using the if() or case() functions. For example

index=something | sort - _time | eval range=case(status == "OK", "low", status == "WARN", "guarded", status == "ERROR", "severe")

preben12 · ‎11-16-2013

perfect !!

Dashboard single and rangemap

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases