Solved: using rangemap for +/- infinity

kevintelford · ‎06-03-2010

I'd like to use the rangemap feature to say | rangemap field=myDifference low_pos=0-499 med_pos=500-999 high_pos=1000+ low_neg=-499-0 med_neg=-999--500 high_neg=-1000-

Now I can do the negative side or the positive side, making my high value the default, and just looking for the other two. | rangemap field=myDifference low_pos=0-499 med_pos=500-999 default=high_pos

I can also just bastardize it saying | rangemap field=myDifference low_pos=0-499 med_pos=500-999 high_pos=1000-9999999999999 low_neg=-499-0 med_neg=-999--500 high_neg=-9999999999999--1000

But is there any way to do the above setting high_pos to 1000+ and high_neg to -1000- ?

Thanks

Stephen_Sorkin · ‎06-03-2010

You must be explicit with rangemap. It's a python command, so you could modify it yourself to accommodate this configuration. Alternately, you can use the "case" function in the "eval" command:

... | eval range = case(myDifference < -1000, "high_neg", myDifference < -500, "med_neg", myDifference < 0, "low_neg", myDifference < 500, "low_pos", myDifference < 1000, "med_pos", 1==1, "high_pos")

View solution in original post

Stephen_Sorkin · ‎06-03-2010

You must be explicit with rangemap. It's a python command, so you could modify it yourself to accommodate this configuration. Alternately, you can use the "case" function in the "eval" command:

... | eval range = case(myDifference < -1000, "high_neg", myDifference < -500, "med_neg", myDifference < 0, "low_neg", myDifference < 500, "low_pos", myDifference < 1000, "med_pos", 1==1, "high_pos")

kevintelford · ‎06-03-2010

Awesome. Thank you 🙂

using rangemap for +/- infinity

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!