Dashboards & Visualizations

single rangemap displaying 'low' instead of number

Explorer

I have 3 single rangemap fields configured in a dashboard. All 3 field values are actually 0. However, one of the values (for delete) is always shown as 'low' instead of '0'.

Here is the search to verify values:
sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.decode_errors: (?\d+)" | rex field=_raw "megastore.stats.delete_errors: (?\d+)" | stats avg(decode_errors) as avg_decode_errors avg(delete_errors) as avg_delete_errors | eval display_value_delete = tostring(round(avg_delete_errors,0), "commas") | eval display_value_decode = tostring(round(avg_decode_errors,0), "commas")

--> with results
avg_decode_errors avg_delete_errors display_value_decode display_value_delete
0.000000 0.000000 0 0

display_value_delete shows as 'low' in the UI

Here is the xml:



sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.encode_errors: (?<encode_errors>\d+)" | stats avg(encode_errors) as avg_encode_errors | eval display_value_encode = tostring(round(avg_encode_errors,0), "commas")| rangemap field=display_value_encode low=0-1 elevated=2-10 severe=11-1000 default=low
Encode Errors
range


sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.decode_errors: (?<decode_errors>\d+)" | stats avg(decode_errors) as avg_decode_errors | eval display_value_decode = tostring(round(avg_decode_errors,0), "commas") | rangemap field=display_value_decode severe=11-1000 elevated=2-10 low=0-1 default=low
Decode Errors
range


sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.delete_errors: (?<delete_errors>\d+)" | stats avg(delete_errors) as avg_delete_errors | eval display_value_delete = tostring(round(avg_delete_errors,0), "commas") | rangemap field=display_value_delete severe=11-1000 elevated=2-10 low=0-1 default=low
Delete Errors
range

Tags (1)

Path Finder

Check out the answer from zeigfried:

http://splunk-base.splunk.com/answers/4450/single-values-rangemap-and-displaying-original-field-valu...

I think that's what you're after.

Builder

Do you know "defalut=low" means? You may need to delete it in order to achieve your purpose?

... | rangemap field=display_value_encode low=0-1 elevated=2-10 severe=11-1000 default=low

Can you change the rangemap search as following and let me know if this sovle?

... | rangemap field=display_value_encode low=0-1 elevated=2-10 severe=11-1000

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!