Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rangemap : more than 10 where count>10

LauraBre
Communicator
‎06-24-2012 04:18 AM

Hello,

I have a question about rangemap. I want to create a search which allow to have the number of events by a field D_IPADD that I create and apply a rangemap. Red when there are more than 10
D_IPADD where count>10 and yellow where 10>count>5 but I don't know I can do it. I also want to see on the button the number of IP_ADRESS where count>10 for example. Actually my search allows to apply colors when at least one D_IPADD has more than 5 events or 10 and see the number of event but it isn't that I want.

Thanks by advance to your help.

  <searchString>source=tcp:5555 PURCH_DAY=06-14 PURCH_DATE=19 |top 1 D_IPADD| rangemap field=count elevated=5-10 severe=10-100 default=low</searchString>

  <title>Monitoring IP adresses : more than 10 appearances</title>

  <earliestTime>-7d</earliestTime>

  <option name="beforeLabel">NB Transactions : </option>

  <option name="classField">range</option>

  <option name="field">count</option>

</single>
Tags (1)
0 Karma
Reply

Drainy
Champion
‎06-24-2012 04:25 AM

Not to make it too simplistic, but could you not just define something like;

| rangemap field=count low=0-5 elevated=6-10 severe=11-100 default=severe

Since you know that between 0 and 5 is low and then by definition, anything greater than 100 is severe (assuming that is red)
To see the IP address just add a table to the end of your query, something like 

| table IPFIELD,range
Reply

Drainy
Champion
‎06-24-2012 02:29 PM

Well a single value is a statistical view, how can you present a singlevalue on several lines? Its a "single value" :). The idea is to perform a statistical report such as count, avg etc or to return only one event such as the head event with a head 1 and then output the contents of a field to your singlevalue

0 Karma
Reply

LauraBre
Communicator
‎06-24-2012 02:19 PM

Thx very much to yours answers but if I have several lines of results, my single in my xml doesn't work, no????

0 Karma
Reply

Drainy
Champion
‎06-24-2012 12:43 PM

Hah, good point old chap!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-24-2012 11:34 AM

Drainy is right on the rangemap, but it could be made simpler;

| rangemap field=count low=0-5 elevated=6-10 default=severe

Your original query would show that a count of 101 (or higher) is categorised as 'low'.

/k

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...