Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

Getting Data In

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results forย

- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to compare 4 fields against multiple ranges an...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

mshumate

Explorer

โ06-08-2015
08:56 AM

`inbound_avg_util`

, `inbound_max_util`

, `outbound_avg_util`

, and `outbound_max_util`

. Averaging these four fields against a range of 0%-19%, 20%-39%, 40%-59%, 60%-79%, 80+%, into four separate charts by count of source. Someone has presented me an excel worksheet as an example asking me to reproduce in Splunk, and for my love of Splunk, I said sure I can do that. Well a week later I'm still trying to figure out the best solution. I've tried using eval to create the ranges, tried rangemap will little luck on one field only. I'm stepping away from it for a bit and collect my thoughts and rethink it, but in the meantime, I thought I would try the forum for the first time.

1 Solution

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

mshumate

Explorer

โ06-09-2015
08:47 AM

ah! Thank you Thank you!

Last night I had came up with something similar to the above but without stats and didn't produce the results as yours did. I took what I had and combined it with yours and now have the following:

sourcetype=xxx_xxxx | eval inbound_avg_util = round(inbound_avg_util,2) | eval inbound_max_util = round(inbound_max_util,2)

| eval outbound_avg_util = round(outbound_avg_util,2)| eval outbound_max_util = round(outbound_max_util,2) |

stats avg(inbound_avg_util) AS A avg(inbound_max_util) AS B avg(outbound_avg_util) AS C avg(outbound_max_util) AS D by source

| eval range1=case(A >= 0 AND A <= 19, "0%-19%", A > 20 AND A <= 39,"20%-39%", A > 39 AND A <= 59, "40%-59%", A > 60 AND A <= 79, "60%-79%", A > 80, "80+%" )

| eval range2=case(B >= 0 AND B <= 19, "0%-19%", B > 20 AND B <= 39,"20%-39%", B > 39 AND B <= 59, "40%-59%", B > 60 AND B <= 79, "60%-79%", B > 80, "80+%" )

| eval range3=case(C >= 0 AND C <= 19, "0%-19%", C > 20 AND C <= 39,"20%-39%", C > 39 AND C <= 59, "40%-59%", C > 60 AND C <= 79, "60%-79%", C > 80, "80+%" )

| eval range4=case(D >= 0 AND D <= 19, "0%-19%", D > 20 AND D <= 39,"20%-39%", D > 39 AND D <= 59, "40%-59%", D > 60 AND D <= 79, "60%-79%", D > 80, "80+%" )

It's now producing the charts (stacked) by the source. Alot of sources (35).

Now I'm trying to figure out how to narrow down the charts (stacked) only on the ranges with four stacked charts. I thought there was a way to group field names into a new field using eval and/or rex and figured I could use the newly created field to chart on. Again I head down that path to eventually become confused. So time to step a way again and rethink and read some more. I'm thinking now this may require subsearches?? am I wrong or is there a better solution?

Basically the end results i'm shooting for would be four charts (stacked) inbound_avg_util, inbound_max_util, outbound_avg_util, outbound_max_util with the range results stacked. I know there's a way, just finding the right solution is the journey with Splunk.

Thanks again

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

mshumate

Explorer

โ06-09-2015
08:47 AM

ah! Thank you Thank you!

Last night I had came up with something similar to the above but without stats and didn't produce the results as yours did. I took what I had and combined it with yours and now have the following:

sourcetype=xxx_xxxx | eval inbound_avg_util = round(inbound_avg_util,2) | eval inbound_max_util = round(inbound_max_util,2)

| eval outbound_avg_util = round(outbound_avg_util,2)| eval outbound_max_util = round(outbound_max_util,2) |

stats avg(inbound_avg_util) AS A avg(inbound_max_util) AS B avg(outbound_avg_util) AS C avg(outbound_max_util) AS D by source

| eval range1=case(A >= 0 AND A <= 19, "0%-19%", A > 20 AND A <= 39,"20%-39%", A > 39 AND A <= 59, "40%-59%", A > 60 AND A <= 79, "60%-79%", A > 80, "80+%" )

| eval range2=case(B >= 0 AND B <= 19, "0%-19%", B > 20 AND B <= 39,"20%-39%", B > 39 AND B <= 59, "40%-59%", B > 60 AND B <= 79, "60%-79%", B > 80, "80+%" )

| eval range3=case(C >= 0 AND C <= 19, "0%-19%", C > 20 AND C <= 39,"20%-39%", C > 39 AND C <= 59, "40%-59%", C > 60 AND C <= 79, "60%-79%", C > 80, "80+%" )

| eval range4=case(D >= 0 AND D <= 19, "0%-19%", D > 20 AND D <= 39,"20%-39%", D > 39 AND D <= 59, "40%-59%", D > 60 AND D <= 79, "60%-79%", D > 80, "80+%" )

It's now producing the charts (stacked) by the source. Alot of sources (35).

Now I'm trying to figure out how to narrow down the charts (stacked) only on the ranges with four stacked charts. I thought there was a way to group field names into a new field using eval and/or rex and figured I could use the newly created field to chart on. Again I head down that path to eventually become confused. So time to step a way again and rethink and read some more. I'm thinking now this may require subsearches?? am I wrong or is there a better solution?

Basically the end results i'm shooting for would be four charts (stacked) inbound_avg_util, inbound_max_util, outbound_avg_util, outbound_max_util with the range results stacked. I know there's a way, just finding the right solution is the journey with Splunk.

Thanks again

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

mshumate

Explorer

โ06-28-2015
03:39 PM

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

woodcock

Esteemed Legend

โ06-30-2015
02:53 PM

I think this should do it but if not, you really should ask a new question:

```
sourcetype=xxx_xxxx | eval inbound_avg_util = round(inbound_avg_util,2) | eval inbound_max_util = round(inbound_max_util,2) | eval outbound_avg_util = round(outbound_avg_util,2)| eval outbound_max_util = round(outbound_max_util,2) | stats avg(inbound_avg_util) AS A avg(inbound_max_util) AS B avg(outbound_avg_util) AS C avg(outbound_max_util) AS D by source | eval range1=case(A >= 0 AND A <= 19, "0%-19%", A > 20 AND A <= 39,"20%-39%", A > 39 AND A <= 59, "40%-59%", A > 60 AND A <= 79, "60%-79%", A > 80, "80+%" ) | eval range2=case(B >= 0 AND B <= 19, "0%-19%", B > 20 AND B <= 39,"20%-39%", B > 39 AND B <= 59, "40%-59%", B > 60 AND B <= 79, "60%-79%", B > 80, "80+%" ) | eval range3=case(C >= 0 AND C <= 19, "0%-19%", C > 20 AND C <= 39,"20%-39%", C > 39 AND C <= 59, "40%-59%", C > 60 AND C <= 79, "60%-79%", C > 80, "80+%" ) | eval range4=case(D >= 0 AND D <= 19, "0%-19%", D > 20 AND D <= 39,"20%-39%", D > 39 AND D <= 59, "40%-59%", D > 60 AND D <= 79, "60%-79%", D > 80, "80+%" ) | chart dc(source) by range
```

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

woodcock

Esteemed Legend

โ06-09-2015
09:48 AM

`@woodcock`

somewhere in it, I will see it and respond.

- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

woodcock

Esteemed Legend

โ06-08-2015
10:49 AM

Something like this will work:

```
... | stats avg(inbound_avg_util) AS A avg(inbound_max_util) AS B avg(outbound_avg_util) AS C avg(outbound_max_util) AS D by source
| eval Arange=case(A<20, "0%-19%", A< 40, "20%-39%", A<60, "40%=59%", A<80, "60%-79%", "80+%" )
| eval Brange=case(B<20, "0%-19%", B< 40, "20%-39%", B<60, "40%=59%", B<80, "60%-79%", "80+%" )
| eval Crange=case(C<20, "0%-19%", C< 40, "20%-39%", C<60, "40%=59%", C<80, "60%-79%", "80+%" )
| eval Drange=case(D<20, "0%-19%", D< 40, "20%-39%", D<60, "40%=59%", D<80, "60%-79%", "80+%" )
```