I would want the range map's range to change according to the time range selected by users.
For example last 24hrs
low=1-10 elevated=11-20 default=severe
Then for last 7days
low=1-70 elevated=71-140 default=severe
Is it possible to put all this in one search?
Thanks in advance.
Is the time range selected done by time range picker (virtually unlimited possible values) OR you created a dropdown with only selected time ranges. In case of later, there might be a way by using the tokens.
First, realize that
rangemap is just a simple variant of the
case function of
| rangemap field=X low=1-10 elevated=11-20 default=severe
is the equivalent of
| eval range=case(X>=1 and X<=10,"low", X>10 and X<=20,"elevated", 1==1,"severe")
case function allows a lot more flexibility.
rangemap only works with integers;
case works with numbers and strings.
case can also support complex conditionals. So, you could do this:
| addinfo | eval multiplier= (info_max_time - info_min_time) / 86400 | eval range=case(X>=1*multiplier and X<=10*multiplier,"low", X>10*multiplier and X<=20*multiplier,"elevated", 1==1,"severe")
This gets the earliest and latest times for the search (from
addinfo) and then calculates a multiplier based on the number of days. So if the user searched over the last 7 days, the multiplier would be approximately 7.
But you could calculate the conditions used by the
case function any way that you want.
Note that you will not need to change any CSS or single-value visualizations - they will work exactly as they did before. Why? Because the field calculated by the
eval command is "range" - the same field that is the result of the
rangemap command, and the values for range are set to "low","elevated" or "severe", just as they are for the
I like this approach!
This could also be done with a lookup; take a look here https://answers.splunk.com/answers/341505/splunk-dynamic-count-of-lookups-in-csv.html#answer-341515 where a lookup is user to set
semi dynamic thresholds. Add a time range to the entries and you can do it based on time ranges 😉
Yes @MuS, I thought about a lookup as well. I think that a lookup would be a great approach for a lot of things, not just this example.
I didn't add it here, because I wanted to stay close to "how rangemap works" for this particular example.
I always get "severe" no matter how I change the range. Is there any reason why?
I tried changing the range to ensure that my total events would fall into the elevated range but the result is still severe
I didn't have a problem with the logic. I suggest that you do this to debug your problem:
| addinfo | eval multiplier= (info_max_time - info_min_time) / 86400 | eval low_start = 1*multiplier | eval low_end = 10*multiplier | eval elevated_start = low_end | eval elevated_end = 20*multiplier | eval range=case(X>=low_start and X<=low_end,"low", X>elevated_start and X<=elevated_end,"elevated", 1==1,"severe") | table range X low_start low_end elevated_start elevated_end multiplier
This will probably show you what is happening. In my own test case, the X that I was generating was much larger than I thought it was...
You may need to adjust the multiplier or how you define your ranges.
Again, I couldn't find anything wrong with the original solution; this is just to give you more information about what it is doing...