Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combining multiple field values for stats/charting

DATT
Path Finder
‎07-03-2024 04:06 PM

I have a field in my data named severity that can be one of five values: 1, 2, 3, 4, and 5.

I want to chart on the following: 1-3, 4, and 5.  Anything with a severity value of 3 or lower can be lumped together, but severity 4 and 5 need to be charted separately.

The coalesce command is close but in my case the key is the same, it's the value that changes.  None of the mv commands look like they do quite what I need, nor does nomv.  

The workaround I've considered doing is an eval command with an if statement to say if the severity is 1, 2, or 3, set a new field value to 3, then chart off of this new field.  It feels janky, but I think it would give me what I want.

Is it possible to do what I want in a more elegant manner?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-03-2024 09:31 PM

You can use rangemap simply

| makeresults count=100
| eval severity=random() % 5 + 1
| rangemap field=severity low=1-3 medium=4-4 high=5-5
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-03-2024 08:25 PM

What's wrong with setting value in the same field?  Given this mock data

Severity
1
1
5
4
4
3
3
1
1
2
3
2
2

and this added to your search,

 

| eval Severity = if(Severity < 4, "lump", Severity)

 

You will get

Severity
lump
lump
5
4
4
lump
lump
lump
lump
lump
lump
lump
lump

Is this what you are looking for? (By the way, to pose an answerable question, it is always good to post sample/mock data, desired output, and explain the logic between illustrated data and desired output.)

Play with this emulation and compare with real data

 

| makeresults format=csv data="Severity
1
1
5
4
4
3
3
1
1
2
3
2
2"
``` data emulation above ```

 

0 Karma
Reply

DATT
Path Finder
‎07-03-2024 10:06 PM

It's probably my own paranoia but I try not to overwrite a data field like this in case I have to use the original data field for whatever reason. But functionally this would do what I need, I just didn't know if there was a more Splunk-y way to do it.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-04-2024 12:28 AM

You can do it by overwriting the field, or just create a new field or use the rangemap, there are so many ways to do it - you can also use fieldformat, which will display a value, but retain the original - see this example how after the stats, the severity retains its numerical value and also the stats will still split by the different numerical values.

| makeresults count=100
| eval severity=random() % 5 + 1
| rangemap field=severity low=1-3 medium=4-4 high=5-5
| fieldformat severity=case(severity<=3, "low", severity=4, "medium", severity=5, "high")
| stats count by severity
| eval x=severity
0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...