have two simple questions about dealing with value ranges:
1) how to put ranges together?
I have log informations with ranges, e.g.:
from="1001" to="2000" type="aaa" from="2001" to="4000" type="aaa" from="4001" to="5000" type="aaa" from="10000" to="20000" type="aaa" from="20001" to="40000" type="BBB"
I would like to compress it to get something like that:
from="1001" to="5000" type="aaa" from="10000" to="20000" type="aaa" from="20001" to="40000" type="BBB"
that means, the first three events should be merged, because the range ist continous and they are of the same type. The forth is an nother range and 5th is another type.
Is there any simple way to go to get it solved?
2) based on the ranges mentioned above (in the events), is there any simple way, if I have a value, e.g. "1565" to identify what type is it?
... | eval type = case(from > 1000 AND to < 5000,"aaa",from > 10000 AND to < 20000,"aaa", from > 20001 AND to < 40000,"BBB", 1=1,"Other")
For the second part of your question that's what I'd lean toward at any rate. The 1=1 is so that if there are values that fall outside of your ranges that evaluates as true and you can see or alert yourself if "Other" shows up.
Do you want to - for a given timeframe - find what the actual ranges were.... hmm.. perhaps...
... | stats min(from) as Low max(to) as High by type | ...
is what you are looking for?
something like that, but this one doesn't care about the gap between 5000 and 10000.
There maybe a multiple gaps between the min and max, and I need to know all the gaps.
Thats the problem.
sorry, but I still don't get it. In my mind, the events that you create in your log would contain number=1234, and then you could search with a
rangemap function. Or actually use the
type information already in the events....
...and the second point was, to use that range log events to find the right item type.
In fact it's not "type" but an identifier (don't care about the name), which I will use then for further search. That means, if something happens to the number "1565" I will like to make a simple search (maybe using a form input) and get the item type.
yes, they would be one line per event.
In fact I just want to create the log messages, what I have are just ranges of serial numbers (first and last, ok i wrote "from" and "to"). Only one range per event will be generated, because they occure at different time. Then, in later time (perhaps dayily or weekly) I have to evaluate the data as described: merging ranges together and making a report containing the used ranges of numbers.
I decided to use key="value" pairs for the fields because Splunk recognize them automatically without further field definitions.
It's a little bit unclear. Are these actual events? Then merging them would... I don't know. This seems better suited for a
lookup function..or a
case function in the search query or... or a rangemap... but all of those are specified outside the context of the event contents. A little background (and some full events) would be beneficial.