Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show count as 0 for rangemap if a range does not exist

northcal_splunk
Engager
‎03-01-2014 12:54 AM

Hi,
I are trying to generate a search report using the follow query

rangemap field="value"
    "<$1"=0-1
    "$1-$2"=1-2
    "$2-$3"=2-3
    "$3-$5"=3-5
    |top limit=0 range

If there is no value falls in range 2-3, the report shows as follow

range    count         percent
<$1        10           50
$1-$2      5            25
$3-$5      5            25

How could I make the report shows as

range    count         percent
<$1        10           50
$1-$2      5            25
$2-$3      0            0``
$3-$5      5            25

Thanks

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎03-01-2014 06:03 AM

One way I solve this is with a lookup providing default (or sentinel) values. If you had a lookup file named ranges.csv that had in it:

range,count
<$1,0
$1-$2,0
$2-$3,0
$3,$5,0

Then you could change your search to something like:

|rangemap field="value"
   "<$1"=0-1
   "$1-$2"=1-2
   "$2-$3"=2-3
   "$3-$5"=3-5
|top limit=0 range
|inputlookup append=true ranges.csv
|stats max(count) by range

The inputlookup appends the zero-rows for your known ranges, and the stats command removes the zero-rows where they are not needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎03-01-2014 06:03 AM

One way I solve this is with a lookup providing default (or sentinel) values. If you had a lookup file named ranges.csv that had in it:

range,count
<$1,0
$1-$2,0
$2-$3,0
$3,$5,0

Then you could change your search to something like:

|rangemap field="value"
   "<$1"=0-1
   "$1-$2"=1-2
   "$2-$3"=2-3
   "$3-$5"=3-5
|top limit=0 range
|inputlookup append=true ranges.csv
|stats max(count) by range

The inputlookup appends the zero-rows for your known ranges, and the stats command removes the zero-rows where they are not needed.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2014 06:14 AM

Additionally, a note about rangemap - in the search from your question, a $2 item will appear both in the 1-2 and the 2-3 category because the ranges are both inclusive. If that's undesired behaviour you can replace the rangemap with a case expression like so:

... | eval range = case(value < 1, "<$1", value < 2, "$1-$2", ...)

That way a $2 item will only be listed in $2-$3, the upper bounds of each range are treated as non-inclusive by the less-than rather than a less-than-or-equal used by rangemap.

The lookup suggested by @dwaddle is still required when using case instead of rangemap.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...