Dashboards & Visualizations

Why is the rangemap command in my search not producing expected results?

crazyeva
Contributor

The search is easy:

index=_internal|fields|stats count|rangemap field=count low=0-50000 elevated=50001-100000 default=severe

visualization single value stops growing before the search finishes!
I uploaded the results:
http://ntu.so/di/SR69M/bug.gif

In a dashboard
rangemap field=count severe=0-50000 elevated=50001-100000 default=low works fine
rangemap field=count low=0-50000 elevated=50001-100000 default=severe stays green?
I am really confused by this command
splunk version 6.0

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

I attempted to reproduce your problem on v6.2 but could not; everything worked as expected. The only thing I see is an extra |fields which is useless overhead (you should remove it) but that should not cause any problems like you are seeing.

View solution in original post

0 Karma

lguinn2
Legend

In your GIF, the search is

index=_internal|fields|stats count|rangemap field=count low=0-50000 elevated=500001-100000 default=severe

So you have a typo - the "elevated" range is invalid.

And as @woodcock pointed out, the "|fields" does nothing.

crazyeva
Contributor

Every thing seems right on version 6.2.4, I have to upgread my plateform

0 Karma

crazyeva
Contributor

thank you
after correcting this mistake, the problem still remains. i will try this on a newer version.
by the way, i suppose "|fields" tell splunk not to extract any fields, even host\source\sourcetype, in order to accelerate the search, is that wrong?

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, that's wrong.
See docs on fields http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Fields

Keeps (+) or removes (-) fields from search results based on the field list criteria. If + is specified, only the fields that match one of the fields in the list are kept. If - is specified, only the fields that match one of the fields in the list are removed. If neither is specified, defaults to +.

woodcock
Esteemed Legend

I attempted to reproduce your problem on v6.2 but could not; everything worked as expected. The only thing I see is an extra |fields which is useless overhead (you should remove it) but that should not cause any problems like you are seeing.

0 Karma

crazyeva
Contributor

thank you for your validation, i will try this on a newer version

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...