Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rangemap with too many values

tyronetv
Communicator
‎03-01-2013 07:24 AM

have this search:

application response sourcetype=log1 OR sourcetype=log2 (host = host1 OR host = host2 OR host = host3 OR host = host4 ) | rex "(A|a)pplication response.*time was\s+(?P<app_response>\d+)\s" | rangemap field=app_response "A. Less than 0.25 seconds"=0-249 "B. More than 0.25 but less than 0.5 seconds"=250-500 "C. More than half-second but less than a second"=500-1000 default="D. More than a second" |stats count by range

Should work, right? If I run it with just "stats count" I get 55,127 returns.

If I run it with rangemap I get 77,484 with 22,377 going to the "default" category.

If I do the search and and only search for items over 1000 ms I get zero ( "search app_response>1000").

So, why the extra bad numbers? What am I doing wrong?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-01-2013 10:12 PM

Rangemap is a strange command - it is actually a custom command and written as a Python script. I would try this instead:

application response sourcetype=log1 OR sourcetype=log2 (host = host1 OR host = host2 OR host = host3 OR host = host4 ) 
| rex "(A|a)pplication response.*?time was\s+(?P<app_response>\d+)\s" 
| where app_response >= 0
| eval appResponseCategory = case(
          app_response<250,"A. Less than 0.25 seconds",
          app_response>=250 AND app_response<500,"B. More than 0.25 but less than 0.5 seconds"
          app_response>=500 AND app_response<1000,"C. More than half-second but less than a second"
          "1"=="1","D. One second or more" )

Note that I eliminated events that did not have an application response time - this may be where your "extra" default events were arising. Also, I made sure that the categories did not overlap, as your original categories did at 500 (one-half second). Finally, I think that the case function will out-perform the rangemap command.

View solution in original post

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...