Splunk Search

Check on in between of a ranger query

Ron1999
New Member

Hello,

How can I get all the pod names with a query where the value will be in between 1.5 - 2.5. I can share a sample signalfx query for better understanding. 

 

Ron1999_0-1718120487091.png

How can I write a equivalent splunk query for this.

 

Labels (5)
0 Karma

P_vandereerden
Splunk Employee
Splunk Employee

If I'm reading this right, you have data that has events with pods and their phases. In your example query, you appear to be using decimal values to create your ranges, but can we assume that the actual pos states fall on specific integers?

Something like this might work:

 

| makeresults count=25 
| eval phase=(random()%5)+1 
``` Everything above here is just to create sample data ```
``` The following statement groups and counts phases.
| stats count by phase
``` The following statement maps phases to a string equivalent ```
| eval label=case(phase=1,"A (Pending)", 
                  phase=2,"B (Running)",
                  phase=3,"C (Succeeded)",
                  phase=4,"D (Failed)",
                  phase=5,"E (Stopping?)",
                  1=1,"Unknown")

 


If the phase values are not discreet, and the range you mention is necessary, then you can use a case statement like this:

 

| makeresults count=25 
| eval phase=((random()%50)/10)+1

| eval phase_group=case(phase<1.5,1,
                        phase<2.5,2,
                        phase<3.5,3,
                        phase<4.5,4,
                        phase<5.5,5) 
| stats count by phase_group 
| eval label=case(phase_group=1,"A (Pending)", 
                  phase_group=2,"B (Running)",
                  phase_group=3,"C (Succeeded)",
                  phase_group=4,"D (Failed)",
                  phase_group=5,"E (Stopping?)",
                  1=1,"Unknown")

 

 

Paul van der Eerden,
Breaking software for over 20 years.
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...