Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rangemap : more than 10 where count>10

LauraBre
Communicator
‎06-24-2012 04:18 AM

Hello,

I have a question about rangemap. I want to create a search which allow to have the number of events by a field D_IPADD that I create and apply a rangemap. Red when there are more than 10
D_IPADD where count>10 and yellow where 10>count>5 but I don't know I can do it. I also want to see on the button the number of IP_ADRESS where count>10 for example. Actually my search allows to apply colors when at least one D_IPADD has more than 5 events or 10 and see the number of event but it isn't that I want.

Thanks by advance to your help.

  <searchString>source=tcp:5555 PURCH_DAY=06-14 PURCH_DATE=19 |top 1 D_IPADD| rangemap field=count elevated=5-10 severe=10-100 default=low</searchString>

  <title>Monitoring IP adresses : more than 10 appearances</title>

  <earliestTime>-7d</earliestTime>

  <option name="beforeLabel">NB Transactions : </option>

  <option name="classField">range</option>

  <option name="field">count</option>

</single>
Tags (1)
0 Karma
Reply

Drainy
Champion
‎06-24-2012 04:25 AM

Not to make it too simplistic, but could you not just define something like;

| rangemap field=count low=0-5 elevated=6-10 severe=11-100 default=severe

Since you know that between 0 and 5 is low and then by definition, anything greater than 100 is severe (assuming that is red)
To see the IP address just add a table to the end of your query, something like 

| table IPFIELD,range
Reply

Drainy
Champion
‎06-24-2012 02:29 PM

Well a single value is a statistical view, how can you present a singlevalue on several lines? Its a "single value" :). The idea is to perform a statistical report such as count, avg etc or to return only one event such as the head event with a head 1 and then output the contents of a field to your singlevalue

0 Karma
Reply

LauraBre
Communicator
‎06-24-2012 02:19 PM

Thx very much to yours answers but if I have several lines of results, my single in my xml doesn't work, no????

0 Karma
Reply

Drainy
Champion
‎06-24-2012 12:43 PM

Hah, good point old chap!

0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-24-2012 11:34 AM

Drainy is right on the rangemap, but it could be made simpler;

| rangemap field=count low=0-5 elevated=6-10 default=severe

Your original query would show that a count of 101 (or higher) is categorised as 'low'.

/k

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...