Dashboards & Visualizations
Highlighted

rangemap : different timerange

Communicator

Hello,

I have this search:

source="tcp:5543" Requester="uka*" hostname="L05236"|stats count | rangemap field=count severe=0-0 elevated=1-50 default=low

I want to know if it's possible to say in this search that between 00:00 and 10:00 severe=0-0, between 10:00 and 16:00 severe=0-10.

thanks by advance

Tags (2)
0 Karma
Highlighted

Re: rangemap : different timerange

Ultra Champion

I believe that you can rewrite the value of range like this:

source="tcp:5543" Requester="uka*" hostname="L05236" | stats count values(date_hour) AS dh | rangemap field=count severe=0-0 elevated=1-50 default=low | eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

UPDATE

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low | eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

should probably be rewritten like

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count(Event) AS ST by date_hour |rangemap field=ST severe=0-0 elevated=1-50 default=low | eval range=if(date_hour>9 AND date_hour<16 AND ST<11, "severe", range)

EDIT: typo

Hope this helps,

Kristian

0 Karma
Highlighted

Re: rangemap : different timerange

Ultra Champion

Updated. However, what do you want to happen when a search spans from 08:00 to 13:00?

/kristian

0 Karma
Highlighted

Re: rangemap : different timerange

Communicator

Thx very much. How can I put in a xml file because when I put it in my dashboard xml file, I got an error. I thinks it's the "<" which is the problem.

Thx by advance,

Laura

0 Karma
Highlighted

Re: rangemap : different timerange

Ultra Champion

Not my field of expertise, but you might benefit from this question and answer regarding characters being interpreted as part of the XML:

http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex

/k

0 Karma
Highlighted

Re: rangemap : different timerange

Communicator

The problem is also present in a search bar. I think the problem is "stats count values(date_hour) AS dh" because in my table there aren't the values of dh so next, it can't compare dh with 9 and 16...

Thanks by advance if you know the solution of this problem.

Laura

0 Karma
Highlighted

Re: rangemap : different timerange

Communicator

The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval datehour=strftime(time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

Thanks by advance if you know the solution of this problem.

Laura

0 Karma
Highlighted

Re: rangemap : different timerange

Ultra Champion

The field date_hour is extracted by default for almost all sourcetypes (like punct, timestartpos etc), but not for Windows Event Logs.

0 Karma
Highlighted

Re: rangemap : different timerange

Communicator

The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

Thanks by advance if you know the solution of this problem.

Laura

0 Karma
Highlighted

Re: rangemap : different timerange

Legend

Please don't post questions as answers. It makes it very hard to actually see the questions you're asking.

0 Karma