- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using a rangemap function for iis data. I am counting the amount of succesful 'hits' in a log (status=2*) and I'm attempting to map the results to a radial gauge however splunk is truncating the results at 1000. I have 70000+ hits every 60 minutes, so i'm wondering how to change the threshold of either the radial gauge or the rangemap command:
This is my query:
index=my_index sourcetype="iis" sc_status=2* |lookup status_codes.csv status AS sc_status | rangemap field=count low=0-19999 guard=20000-39999 elevated=40000-69999 high=70000-99999 severe=100000-200000 default=severe
is there a way to adjust the rangemap to accept these thresholds?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/c46d2/c46d2b1b75321e87dcc3fe6c66db47032d30dcf6" alt="aljohnson_splun aljohnson_splun"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Regardless of using rangemap
, you can use gauge
pretty easily here:
... | gauge count 0 20000 40000 70000 100000 200000
The first value is the starting value, the last one is the ending value. The values in the middle will automatically become the splitting points. The default colors go from green -> green/yellow -> yellow -> orange -> red. count
here would be whatever field you're displaying.
See the docs on the gauge
command here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/c46d2/c46d2b1b75321e87dcc3fe6c66db47032d30dcf6" alt="aljohnson_splun aljohnson_splun"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Regardless of using rangemap
, you can use gauge
pretty easily here:
... | gauge count 0 20000 40000 70000 100000 200000
The first value is the starting value, the last one is the ending value. The values in the middle will automatically become the splitting points. The default colors go from green -> green/yellow -> yellow -> orange -> red. count
here would be whatever field you're displaying.
See the docs on the gauge
command here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is good but how do it make the numbers to gauge command dynamic instead of actual numbers. Can I use eval to get the numbers in a variable like
.... eval y1=(Total * 0.5) | eval y2=(Total * 0.8) |eval y3=Total | gauge count 0 y1 y2 y3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/6b305/6b30587f4930d3fb5a3b702327abd87164ea90b6" alt="somesoni2 somesoni2"
I don't see any aggregation command in your query, it means for your chart, no of records are more than 1000 causing the truncation. Try something like this
index=my_index sourcetype="iis" sc_status=2* | stats coun tby sc_status|lookup status_codes.csv status AS sc_status | rangemap field=count low=0-19999 guard=20000-39999 elevated=40000-69999 high=70000-99999 severe=100000-200000 default=severe
data:image/s3,"s3://crabby-images/d7f73/d7f73632dd731f9b3dd280d9d048df61ba67932c" alt=""