Deployment Architecture

How to deal with value ranges?

petersob
Explorer

Hello Community,

have two simple questions about dealing with value ranges:

1) how to put ranges together?

I have log informations with ranges, e.g.:

from="1001" to="2000" type="aaa"
from="2001" to="4000" type="aaa"
from="4001" to="5000" type="aaa"
from="10000" to="20000" type="aaa"
from="20001" to="40000" type="BBB"

I would like to compress it to get something like that:

from="1001" to="5000" type="aaa"
from="10000" to="20000" type="aaa"
from="20001" to="40000" type="BBB"

that means, the first three events should be merged, because the range ist continous and they are of the same type. The forth is an nother range and 5th is another type.

Is there any simple way to go to get it solved?

2) based on the ranges mentioned above (in the events), is there any simple way, if I have a value, e.g. "1565" to identify what type is it?

Ragards,
Peter

0 Karma

Runals
Motivator
... | eval type = case(from > 1000 AND to < 5000,"aaa",from > 10000 AND to < 20000,"aaa", from > 20001 AND to < 40000,"BBB", 1=1,"Other")

For the second part of your question that's what I'd lean toward at any rate. The 1=1 is so that if there are values that fall outside of your ranges that evaluates as true and you can see or alert yourself if "Other" shows up.

petersob
Explorer

now I solved that by writing a custom search command.

0 Karma

zomis
Explorer

This doesn't provide any useful information at all. More details are needed.

0 Karma

somesoni2
Revered Legend

Will these range values will always be in ascending order?

0 Karma

kristian_kolb
Ultra Champion

Do you want to - for a given timeframe - find what the actual ranges were.... hmm.. perhaps...

... | stats min(from) as Low max(to) as High by type | ...

is what you are looking for?

/k

0 Karma

petersob
Explorer

something like that, but this one doesn't care about the gap between 5000 and 10000.
There maybe a multiple gaps between the min and max, and I need to know all the gaps.
Thats the problem.

0 Karma

kristian_kolb
Ultra Champion

sorry, but I still don't get it. In my mind, the events that you create in your log would contain number=1234, and then you could search with a case or rangemap function. Or actually use the type information already in the events....

0 Karma

petersob
Explorer

if i do something like that: "... | stats min(from) as first, max(to) as last by type" I will miss, that there is a gap between 5000 and 10000.

0 Karma

petersob
Explorer

...and the second point was, to use that range log events to find the right item type.
In fact it's not "type" but an identifier (don't care about the name), which I will use then for further search. That means, if something happens to the number "1565" I will like to make a simple search (maybe using a form input) and get the item type.

0 Karma

petersob
Explorer

yes, they would be one line per event.
In fact I just want to create the log messages, what I have are just ranges of serial numbers (first and last, ok i wrote "from" and "to"). Only one range per event will be generated, because they occure at different time. Then, in later time (perhaps dayily or weekly) I have to evaluate the data as described: merging ranges together and making a report containing the used ranges of numbers.
I decided to use key="value" pairs for the fields because Splunk recognize them automatically without further field definitions.

0 Karma

kristian_kolb
Ultra Champion

It's a little bit unclear. Are these actual events? Then merging them would... I don't know. This seems better suited for a lookup function..or a case function in the search query or... or a rangemap... but all of those are specified outside the context of the event contents. A little background (and some full events) would be beneficial.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...