Deployment Architecture
Highlighted

How to deal with value ranges?

Explorer

Hello Community,

have two simple questions about dealing with value ranges:

1) how to put ranges together?

I have log informations with ranges, e.g.:

from="1001" to="2000" type="aaa"
from="2001" to="4000" type="aaa"
from="4001" to="5000" type="aaa"
from="10000" to="20000" type="aaa"
from="20001" to="40000" type="BBB"

I would like to compress it to get something like that:

from="1001" to="5000" type="aaa"
from="10000" to="20000" type="aaa"
from="20001" to="40000" type="BBB"

that means, the first three events should be merged, because the range ist continous and they are of the same type. The forth is an nother range and 5th is another type.

Is there any simple way to go to get it solved?

2) based on the ranges mentioned above (in the events), is there any simple way, if I have a value, e.g. "1565" to identify what type is it?

Ragards,
Peter

0 Karma
Highlighted

Re: How to deal with value ranges?

Ultra Champion

It's a little bit unclear. Are these actual events? Then merging them would... I don't know. This seems better suited for a lookup function..or a case function in the search query or... or a rangemap... but all of those are specified outside the context of the event contents. A little background (and some full events) would be beneficial.

0 Karma
Highlighted

Re: How to deal with value ranges?

Explorer

yes, they would be one line per event.
In fact I just want to create the log messages, what I have are just ranges of serial numbers (first and last, ok i wrote "from" and "to"). Only one range per event will be generated, because they occure at different time. Then, in later time (perhaps dayily or weekly) I have to evaluate the data as described: merging ranges together and making a report containing the used ranges of numbers.
I decided to use key="value" pairs for the fields because Splunk recognize them automatically without further field definitions.

0 Karma
Highlighted

Re: How to deal with value ranges?

Explorer

...and the second point was, to use that range log events to find the right item type.
In fact it's not "type" but an identifier (don't care about the name), which I will use then for further search. That means, if something happens to the number "1565" I will like to make a simple search (maybe using a form input) and get the item type.

0 Karma
Highlighted

Re: How to deal with value ranges?

Explorer

if i do something like that: "... | stats min(from) as first, max(to) as last by type" I will miss, that there is a gap between 5000 and 10000.

0 Karma
Highlighted

Re: How to deal with value ranges?

Ultra Champion

sorry, but I still don't get it. In my mind, the events that you create in your log would contain number=1234, and then you could search with a case or rangemap function. Or actually use the type information already in the events....

0 Karma
Highlighted

Re: How to deal with value ranges?

Ultra Champion

Do you want to - for a given timeframe - find what the actual ranges were.... hmm.. perhaps...

... | stats min(from) as Low max(to) as High by type | ...

is what you are looking for?

/k

0 Karma
Highlighted

Re: How to deal with value ranges?

Explorer

something like that, but this one doesn't care about the gap between 5000 and 10000.
There maybe a multiple gaps between the min and max, and I need to know all the gaps.
Thats the problem.

0 Karma
Highlighted

Re: How to deal with value ranges?

SplunkTrust
SplunkTrust

Will these range values will always be in ascending order?

0 Karma
Highlighted

Re: How to deal with value ranges?

Explorer

now I solved that by writing a custom search command.

0 Karma