Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is the rangemap command in my search not producing expected results?

crazyeva
Contributor
‎07-16-2015 01:45 AM

The search is easy:

index=_internal|fields|stats count|rangemap field=count low=0-50000 elevated=50001-100000 default=severe

visualization single value stops growing before the search finishes!
I uploaded the results:
http://ntu.so/di/SR69M/bug.gif

In a dashboard
rangemap field=count severe=0-50000 elevated=50001-100000 default=low works fine
rangemap field=count low=0-50000 elevated=50001-100000 default=severe stays green?
I am really confused by this command
splunk version 6.0

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-16-2015 06:19 AM

I attempted to reproduce your problem on v6.2 but could not; everything worked as expected. The only thing I see is an extra |fields which is useless overhead (you should remove it) but that should not cause any problems like you are seeing.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎07-16-2015 09:05 AM

In your GIF, the search is

index=_internal|fields|stats count|rangemap field=count low=0-50000 elevated=500001-100000 default=severe

So you have a typo - the "elevated" range is invalid.

And as @woodcock pointed out, the "|fields" does nothing.

Reply
Solved! Jump to solution

crazyeva
Contributor
‎07-16-2015 11:58 PM

Every thing seems right on version 6.2.4, I have to upgread my plateform

0 Karma
Reply
Solved! Jump to solution

crazyeva
Contributor
‎07-16-2015 08:42 PM

thank you
after correcting this mistake, the problem still remains. i will try this on a newer version.
by the way, i suppose "|fields" tell splunk not to extract any fields, even host\source\sourcetype, in order to accelerate the search, is that wrong?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-16-2015 08:44 PM

Yes, that's wrong.
See docs on fields http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Fields

Keeps (+) or removes (-) fields from search results based on the field list criteria. If + is specified, only the fields that match one of the fields in the list are kept. If - is specified, only the fields that match one of the fields in the list are removed. If neither is specified, defaults to +.
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-16-2015 06:19 AM

I attempted to reproduce your problem on v6.2 but could not; everything worked as expected. The only thing I see is an extra |fields which is useless overhead (you should remove it) but that should not cause any problems like you are seeing.

0 Karma
Reply
Solved! Jump to solution

crazyeva
Contributor
‎07-16-2015 07:47 PM

thank you for your validation, i will try this on a newer version

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...