Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rangemap with too many values

tyronetv
Communicator
‎03-01-2013 07:24 AM

have this search:

application response sourcetype=log1 OR sourcetype=log2 (host = host1 OR host = host2 OR host = host3 OR host = host4 ) | rex "(A|a)pplication response.*time was\s+(?P<app_response>\d+)\s" | rangemap field=app_response "A. Less than 0.25 seconds"=0-249 "B. More than 0.25 but less than 0.5 seconds"=250-500 "C. More than half-second but less than a second"=500-1000 default="D. More than a second" |stats count by range

Should work, right? If I run it with just "stats count" I get 55,127 returns.

If I run it with rangemap I get 77,484 with 22,377 going to the "default" category.

If I do the search and and only search for items over 1000 ms I get zero ( "search app_response>1000").

So, why the extra bad numbers? What am I doing wrong?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2013 10:12 PM

Rangemap is a strange command - it is actually a custom command and written as a Python script. I would try this instead:

application response sourcetype=log1 OR sourcetype=log2 (host = host1 OR host = host2 OR host = host3 OR host = host4 ) 
| rex "(A|a)pplication response.*?time was\s+(?P<app_response>\d+)\s" 
| where app_response >= 0
| eval appResponseCategory = case(
          app_response<250,"A. Less than 0.25 seconds",
          app_response>=250 AND app_response<500,"B. More than 0.25 but less than 0.5 seconds"
          app_response>=500 AND app_response<1000,"C. More than half-second but less than a second"
          "1"=="1","D. One second or more" )

Note that I eliminated events that did not have an application response time - this may be where your "extra" default events were arising. Also, I made sure that the categories did not overlap, as your original categories did at 500 (one-half second). Finally, I think that the case function will out-perform the rangemap command.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2013 10:12 PM

Rangemap is a strange command - it is actually a custom command and written as a Python script. I would try this instead:

application response sourcetype=log1 OR sourcetype=log2 (host = host1 OR host = host2 OR host = host3 OR host = host4 ) 
| rex "(A|a)pplication response.*?time was\s+(?P<app_response>\d+)\s" 
| where app_response >= 0
| eval appResponseCategory = case(
          app_response<250,"A. Less than 0.25 seconds",
          app_response>=250 AND app_response<500,"B. More than 0.25 but less than 0.5 seconds"
          app_response>=500 AND app_response<1000,"C. More than half-second but less than a second"
          "1"=="1","D. One second or more" )

Note that I eliminated events that did not have an application response time - this may be where your "extra" default events were arising. Also, I made sure that the categories did not overlap, as your original categories did at 500 (one-half second). Finally, I think that the case function will out-perform the rangemap command.

Reply
Solved! Jump to solution

tyronetv
Communicator
‎03-04-2013 08:33 AM

This was the fix. I had used case before (another question) but was suggested I use rangemap. For this search using case is the clear winner.
Thanks.

0 Karma
Reply
Solved! Jump to solution

tyronetv
Communicator
‎03-01-2013 07:38 PM

2013-03-01 12:35:28,878 INFO [ler-HTTPThreadGroup-17042] RID=1362170128682-2299470 c.r.t.i.s.e.applicationImageArchiveConnection - application response time was 138 milliseconds.

2013-03-01 14:35:22,040[ndler-HTTPThreadGroup-681] INFO dis.service.application.ImageArchiveConnection - [1] application response time was 128 milliseconds.

2013-03-01 12:35:21,950 INFO [ler-HTTPThreadGroup-17053] RID=1362170121771-2299465 c.r.t.i.s.e.applicationImageArchiveConnection - application response time was 124 milliseconds.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 03:24 PM

Can you provide anonymized sample data?

0 Karma
Reply
Solved! Jump to solution

tyronetv
Communicator
‎03-01-2013 02:13 PM

Maybe I wasn't clear. The default bucket has 20,000+ count that do not exist in the search. Read my initial post. Search pipe to count gives 50K+ results. Search pipe to rangemap gives 70K+ results.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 12:52 PM

The default bucket contains all events that do not belong in another bucket. That's those >1000, those <0, and those with no value.

0 Karma
Reply
Solved! Jump to solution

tyronetv
Communicator
‎03-01-2013 11:41 AM

They have "no value" that I can find. There should be no counts in the default bucket. But, to more specifically answer, if you look at the query, I believe the default should include values > 1000

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 10:16 AM

What duration value(s) do those in the default bucket have?

0 Karma
Reply
Solved! Jump to solution

tyronetv
Communicator
‎03-01-2013 09:09 AM

No, the issue is that the 'default' bucket has 20,000+ that don't exist in the primary search string.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-01-2013 09:01 AM

Are there by any chance thousands with exactly 500ms duration? Those get rangemapped twice due to an overlap at 500.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top