Dashboards & Visualizations

How to change the threshold of either the radial gauge or the rangemap command?

Motivator

I am using a rangemap function for iis data. I am counting the amount of succesful 'hits' in a log (status=2*) and I'm attempting to map the results to a radial gauge however splunk is truncating the results at 1000. I have 70000+ hits every 60 minutes, so i'm wondering how to change the threshold of either the radial gauge or the rangemap command:

This is my query:

index=my_index sourcetype="iis" sc_status=2* |lookup status_codes.csv status AS sc_status | rangemap field=count low=0-19999 guard=20000-39999 elevated=40000-69999 high=70000-99999 severe=100000-200000 default=severe

is there a way to adjust the rangemap to accept these thresholds?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Regardless of using rangemap, you can use gauge pretty easily here:

... | gauge count 0 20000 40000 70000 100000 200000

The first value is the starting value, the last one is the ending value. The values in the middle will automatically become the splitting points. The default colors go from green -> green/yellow -> yellow -> orange -> red. count here would be whatever field you're displaying.

See the docs on the gauge command here.

View solution in original post

Splunk Employee
Splunk Employee

Regardless of using rangemap, you can use gauge pretty easily here:

... | gauge count 0 20000 40000 70000 100000 200000

The first value is the starting value, the last one is the ending value. The values in the middle will automatically become the splitting points. The default colors go from green -> green/yellow -> yellow -> orange -> red. count here would be whatever field you're displaying.

See the docs on the gauge command here.

View solution in original post

New Member

This is good but how do it make the numbers to gauge command dynamic instead of actual numbers. Can I use eval to get the numbers in a variable like

 .... eval y1=(Total * 0.5) | eval y2=(Total * 0.8) |eval y3=Total | gauge count 0 y1 y2 y3 
0 Karma

SplunkTrust
SplunkTrust

I don't see any aggregation command in your query, it means for your chart, no of records are more than 1000 causing the truncation. Try something like this

index=my_index sourcetype="iis" sc_status=2* | stats coun tby sc_status|lookup status_codes.csv status AS sc_status | rangemap field=count low=0-19999 guard=20000-39999 elevated=40000-69999 high=70000-99999 severe=100000-200000 default=severe
0 Karma