Deployment Architecture
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Creating clusters from intervals of numeric values
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SilviaGebel
Path Finder
05-21-2015
06:36 AM
Hi everyone
I want to create clusters of numeric data.
For example:
field: temperature with values between 19.0°C and 23.0°C
the clusters should be as following:
temp1: 19.0 - 21.0
temp2: 21.1 - 22.0
temp3: 22.1 - 23.0
I would need to have a search string as such: |eval temp1=(temperature>="19.0" AND "temperature<="21.0")
so I can search for | chart list(error) by temp*
in order to see how many times an error occured in each of the temperature intervalls.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aweitzman
Motivator
05-21-2015
07:41 AM
To do a chart that is subdivided by temperature clusters, what you want to do is create one field (let's call it temprange) with different values. That way you can use | stats list(error) by temprange to get what you want.
...your search for data...
| eval temprange=case(temperature>=19 AND temperature<=21,"low",temperature>21 AND temperature<=22,"medium",temperature>22 AND temperature<=23,"high",1=1,"out of range")
| stats list(error) as Errors count by temprange
(Assuming that the temperature field is numeric; you don't want to compare numbers using strings as you've listed above. If not, use the convert function on it: | convert auto(temperature) before doing the eval/case statement.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aweitzman
Motivator
05-21-2015
07:41 AM
To do a chart that is subdivided by temperature clusters, what you want to do is create one field (let's call it temprange) with different values. That way you can use | stats list(error) by temprange to get what you want.
...your search for data...
| eval temprange=case(temperature>=19 AND temperature<=21,"low",temperature>21 AND temperature<=22,"medium",temperature>22 AND temperature<=23,"high",1=1,"out of range")
| stats list(error) as Errors count by temprange
(Assuming that the temperature field is numeric; you don't want to compare numbers using strings as you've listed above. If not, use the convert function on it: | convert auto(temperature) before doing the eval/case statement.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SilviaGebel
Path Finder
05-26-2015
03:54 AM
This is perfect! Thank you 🙂
Get Updates on the Splunk Community!
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...
Overwhelmed SOC? Splunk ES Has Your Back
Tool sprawl, alert fatigue, and endless context switching are making ...
What’s New & Next in Splunk SOAR
Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us on ...
