Dashboards & Visualizations
Highlighted

Is it possible to have rangemap's range change dynamically according to the time range selected by users?

Engager

I would want the range map's range to change according to the time range selected by users.

For example last 24hrs
low=1-10 elevated=11-20 default=severe
Then for last 7days
low=1-70 elevated=71-140 default=severe

Is it possible to put all this in one search?

Thanks in advance.

0 Karma
Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

Motivator

I doubt it mate.

0 Karma
Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

SplunkTrust
SplunkTrust

Is the time range selected done by time range picker (virtually unlimited possible values) OR you created a dropdown with only selected time ranges. In case of later, there might be a way by using the tokens.

0 Karma
Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

Legend

First, realize that rangemap is just a simple variant of the case function of eval

| rangemap field=X low=1-10 elevated=11-20 default=severe

is the equivalent of

| eval range=case(X>=1 and X<=10,"low",
                 X>10 and X<=20,"elevated",
                 1==1,"severe")

But the case function allows a lot more flexibility. rangemap only works with integers; case works with numbers and strings. case can also support complex conditionals. So, you could do this:

| addinfo
| eval multiplier= (info_max_time - info_min_time) / 86400
| eval range=case(X>=1*multiplier and X<=10*multiplier,"low",
                     X>10*multiplier and X<=20*multiplier,"elevated",
                     1==1,"severe")

This gets the earliest and latest times for the search (from addinfo) and then calculates a multiplier based on the number of days. So if the user searched over the last 7 days, the multiplier would be approximately 7.
But you could calculate the conditions used by the case function any way that you want.

Note that you will not need to change any CSS or single-value visualizations - they will work exactly as they did before. Why? Because the field calculated by the eval command is "range" - the same field that is the result of the rangemap command, and the values for range are set to "low","elevated" or "severe", just as they are for the rangemap command.

Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

SplunkTrust
SplunkTrust

I like this approach!
This could also be done with a lookup; take a look here https://answers.splunk.com/answers/341505/splunk-dynamic-count-of-lookups-in-csv.html#answer-341515 where a lookup is user to set semi dynamic thresholds. Add a time range to the entries and you can do it based on time ranges 😉

cheers, MuS

Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

Legend

Yes @MuS, I thought about a lookup as well. I think that a lookup would be a great approach for a lot of things, not just this example.

I didn't add it here, because I wanted to stay close to "how rangemap works" for this particular example.

Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

SplunkTrust
SplunkTrust

understood and agreed 😉

0 Karma
Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

Engager

I always get "severe" no matter how I change the range. Is there any reason why?
I tried changing the range to ensure that my total events would fall into the elevated range but the result is still severe

0 Karma
Highlighted

Re: Is it possible to have rangemap's range change dynamically according to the time range selected by users?

Legend

I didn't have a problem with the logic. I suggest that you do this to debug your problem:

| addinfo
| eval multiplier= (info_max_time - info_min_time) / 86400
| eval low_start = 1*multiplier
| eval low_end = 10*multiplier
| eval elevated_start = low_end
| eval elevated_end = 20*multiplier
 | eval range=case(X>=low_start and X<=low_end,"low",
                      X>elevated_start and X<=elevated_end,"elevated",
                      1==1,"severe")
| table range X low_start low_end elevated_start elevated_end multiplier

This will probably show you what is happening. In my own test case, the X that I was generating was much larger than I thought it was...
You may need to adjust the multiplier or how you define your ranges.

Again, I couldn't find anything wrong with the original solution; this is just to give you more information about what it is doing...

0 Karma