Splunk Search

Combining multiple field values for stats/charting

DATT
Explorer

I have a field in my data named severity that can be one of five values: 1, 2, 3, 4, and 5.

I want to chart on the following: 1-3, 4, and 5.  Anything with a severity value of 3 or lower can be lumped together, but severity 4 and 5 need to be charted separately.

The coalesce command is close but in my case the key is the same, it's the value that changes.  None of the mv commands look like they do quite what I need, nor does nomv.  

The workaround I've considered doing is an eval command with an if statement to say if the severity is 1, 2, or 3, set a new field value to 3, then chart off of this new field.  It feels janky, but I think it would give me what I want.

Is it possible to do what I want in a more elegant manner?

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can use rangemap simply

| makeresults count=100
| eval severity=random() % 5 + 1
| rangemap field=severity low=1-3 medium=4-4 high=5-5

yuanliu
SplunkTrust
SplunkTrust

What's wrong with setting value in the same field?  Given this mock data

Severity
1
1
5
4
4
3
3
1
1
2
3
2
2

and this added to your search,

 

| eval Severity = if(Severity < 4, "lump", Severity)

 

You will get

Severity
lump
lump
5
4
4
lump
lump
lump
lump
lump
lump
lump
lump

Is this what you are looking for? (By the way, to pose an answerable question, it is always good to post sample/mock data, desired output, and explain the logic between illustrated data and desired output.)

Play with this emulation and compare with real data

 

| makeresults format=csv data="Severity
1
1
5
4
4
3
3
1
1
2
3
2
2"
``` data emulation above ```

 

0 Karma

DATT
Explorer

It's probably my own paranoia but I try not to overwrite a data field like this in case I have to use the original data field for whatever reason. But functionally this would do what I need, I just didn't know if there was a more Splunk-y way to do it.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can do it by overwriting the field, or just create a new field or use the rangemap, there are so many ways to do it - you can also use fieldformat, which will display a value, but retain the original - see this example how after the stats, the severity retains its numerical value and also the stats will still split by the different numerical values.

| makeresults count=100
| eval severity=random() % 5 + 1
| rangemap field=severity low=1-3 medium=4-4 high=5-5
| fieldformat severity=case(severity<=3, "low", severity=4, "medium", severity=5, "high")
| stats count by severity
| eval x=severity
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...