Dashboards & Visualizations

rangemap : different timerange

LauraBre
Communicator

Hello,

I have this search:

source="tcp:5543" Requester="uka*" hostname="L05236"|stats count | rangemap field=count severe=0-0 elevated=1-50 default=low

I want to know if it's possible to say in this search that between 00:00 and 10:00 severe=0-0, between 10:00 and 16:00 severe=0-10.

thanks by advance

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

I believe that you can rewrite the value of range like this:

source="tcp:5543" Requester="uka*" hostname="L05236" | stats count values(date_hour) AS dh | rangemap field=count severe=0-0 elevated=1-50 default=low | eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

UPDATE

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low | eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

should probably be rewritten like

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count(Event) AS ST by date_hour |rangemap field=ST severe=0-0 elevated=1-50 default=low | eval range=if(date_hour>9 AND date_hour<16 AND ST<11, "severe", range)

EDIT: typo

Hope this helps,

Kristian

0 Karma

LauraBre
Communicator

It's worked very well. I put count>11 because I change my criterias. I just put count because count allows to count the number of events returns by the search and it's exactly that I want to do. Thanks very much to your help.

Laura

0 Karma

kristian_kolb
Ultra Champion

Ok, the count(Event) was some type of pseudo-code? In any case, I am happy that it works for you, but you are now saying count>11, rather than count<11. I do not think that is what you want, at least not according to your original post.

Please mark as "answered" if your question has been resolved.

Thanks,

K

0 Karma

LauraBre
Communicator

My problem is resolved. Thanks very much.

This is my final search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") |stats count by date_hour |rangemap field=count severe=0-0 elevated=1-50 default=low | eval range=if(date_hour>9 AND date_hour<16 AND count>11, "severe", range)
0 Karma

kristian_kolb
Ultra Champion

Updated and confirmed that it works. Had to fix a few typos, sorry about that. Do you want count(Event) or just count, which is the same as count(_raw), i.e. the raw event.

If you want to run your search over more than 24 hours, you'll need to combine date_hour with other date_* fields, or use timechart.

/k

0 Karma

Ayn
Legend

Please don't post questions as answers. It makes it very hard to actually see the questions you're asking.

0 Karma

LauraBre
Communicator

The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

Thanks by advance if you know the solution of this problem.

Laura

0 Karma

kristian_kolb
Ultra Champion

The field date_hour is extracted by default for almost all sourcetypes (like punct, timestartpos etc), but not for Windows Event Logs.

0 Karma

LauraBre
Communicator

The problem is also present in a search bar. I think the problem is "stats count values(date_hour) AS dh" because in my table there aren't the values of dh so next, it can't compare dh with 9 and 16...

Thanks by advance if you know the solution of this problem.

Laura

0 Karma

LauraBre
Communicator

The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:

source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)

Thanks by advance if you know the solution of this problem.

Laura

0 Karma

kristian_kolb
Ultra Champion

Not my field of expertise, but you might benefit from this question and answer regarding characters being interpreted as part of the XML:

http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex

/k

0 Karma

LauraBre
Communicator

Thx very much. How can I put in a xml file because when I put it in my dashboard xml file, I got an error. I thinks it's the "<" which is the problem.

Thx by advance,

Laura

0 Karma

kristian_kolb
Ultra Champion

Updated. However, what do you want to happen when a search spans from 08:00 to 13:00?

/kristian

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...