I have a field in my data named severity that can be one of five values: 1, 2, 3, 4, and 5.
I want to chart on the following: 1-3, 4, and 5. Anything with a severity value of 3 or lower can be lumped together, but severity 4 and 5 need to be charted separately.
The coalesce command is close but in my case the key is the same, it's the value that changes. None of the mv commands look like they do quite what I need, nor does nomv.
The workaround I've considered doing is an eval command with an if statement to say if the severity is 1, 2, or 3, set a new field value to 3, then chart off of this new field. It feels janky, but I think it would give me what I want.
Is it possible to do what I want in a more elegant manner?
You can use rangemap simply
| makeresults count=100
| eval severity=random() % 5 + 1
| rangemap field=severity low=1-3 medium=4-4 high=5-5
What's wrong with setting value in the same field? Given this mock data
Severity |
1 |
1 |
5 |
4 |
4 |
3 |
3 |
1 |
1 |
2 |
3 |
2 |
2 |
and this added to your search,
| eval Severity = if(Severity < 4, "lump", Severity)
You will get
Severity |
lump |
lump |
5 |
4 |
4 |
lump |
lump |
lump |
lump |
lump |
lump |
lump |
lump |
Is this what you are looking for? (By the way, to pose an answerable question, it is always good to post sample/mock data, desired output, and explain the logic between illustrated data and desired output.)
Play with this emulation and compare with real data
| makeresults format=csv data="Severity
1
1
5
4
4
3
3
1
1
2
3
2
2"
``` data emulation above ```
It's probably my own paranoia but I try not to overwrite a data field like this in case I have to use the original data field for whatever reason. But functionally this would do what I need, I just didn't know if there was a more Splunk-y way to do it.
You can do it by overwriting the field, or just create a new field or use the rangemap, there are so many ways to do it - you can also use fieldformat, which will display a value, but retain the original - see this example how after the stats, the severity retains its numerical value and also the stats will still split by the different numerical values.
| makeresults count=100
| eval severity=random() % 5 + 1
| rangemap field=severity low=1-3 medium=4-4 high=5-5
| fieldformat severity=case(severity<=3, "low", severity=4, "medium", severity=5, "high")
| stats count by severity
| eval x=severity