How-to: Different rangemap based on field value

splunkIT · ‎02-09-2015

I am looking to add a rangemap on a dashboard. I have used rangemap in the past but in this case I would need different ranges based on a field value.

Example:

cv3_level = Error | rangemap low=0-9 elevated=10-49 default=severe
cv3_level = Fatal | rangemap low=0-0 default=severe

"cv3_level = Fatal" hopefully will never show up but they want the 0 on the screen. The search shows up correct for the count. I am using the code from "Table Icon Set" to display a icon set so on the dashboard people just see pretty colors.

mzorzi · ‎02-24-2015

You need to use a eval with case and cover the different combinations. For instance:

index=_internal earliest=-15min sourcetype=splunk* | eval log_level=case(date_second<=10,"INFO",date_second<=50,"Warning",date_second<=59,"Fatal") | chart count by log_level | eval range=case((log_level="Fatal" AND count<100), "Low" , (log_level="Fatal" AND count<2000), "Warning") | table log_level,count,range

hexx · ‎02-09-2015

Could you please provide a clear example using a sample event and indicating the value(s) of the input field for rangemap as well as the desired output values?

How-to: Different rangemap based on field value

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023