How do I track event progress in a rangemap?

stevedefazio · ‎12-04-2018

I am building a dashboard that shows the progress of a particular process. What I'd like to do is:

In the last 24 hours
If I've seen message x, set a rangemap to grey
If I've seen message x & then y, set rangemap to yellow
If I've seen message x & then y, & then z, set rangemap to green
If I've seen message x & then 20 minutes have passed without y or z, set rangemap to red

index="myIndex" | rex field=message=(extract message field).* | (here is what I am not sure of) | rangemap field=message grey=1 yellow=2 green=3 red=4

Basically, I'm not sure how to get from "counting things" to "check if multiple related things have happened"

bjoernjensen · ‎12-05-2018

Hi,

if the constrains let you do this you might want to have a look into the usage of event types for message x, y and z.

To get a relation between events I would use streamstats with windows (number of events) or time_window (time frame).
http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Streamstats

Cheerz,
Björn

How do I track event progress in a rangemap?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life