- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
preben12
Communicator
11-16-2013
11:42 AM
How can I make use of the rangemap when my search returns statis values like [OK or ERROR or WARN] and display a single value with a icon for each ERROR = server, OK = low and WARN = guarded.
Somehow I have to translate the ERROR ect. to a number to make use of rangemap i guess ?
The search = index=something | sort - _time
The search returns a status and a timestamp where only the resent value should count.
Normally the single value works like this :
<single>
<searchString>| stats count as value | eval value = 550 | rangemap field=value none=0-99 low=100-199 guarded=200-299 elevated=300-399 high=400-499 severe=500-599 default=none</searchString>
<earliestTime>-15m</earliestTime>
<latestTime>now</latestTime>
<option name="classField">range</option>
<option name="field">value</option>
</single>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
11-16-2013
12:42 PM
You can use the eval command to translate values using the if() or case() functions. For example
index=something | sort - _time | eval range=case(status == "OK", "low", status == "WARN", "guarded", status == "ERROR", "severe")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ziegfried
Influencer
11-16-2013
12:42 PM
You can use the eval command to translate values using the if() or case() functions. For example
index=something | sort - _time | eval range=case(status == "OK", "low", status == "WARN", "guarded", status == "ERROR", "severe")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
preben12
Communicator
11-16-2013
01:44 PM
perfect !!
