Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I display ranges as text min - max?

grantsmiley
Path Finder
‎06-15-2018 07:10 AM

If I have data such as this:
SensorNo A B C D....Z AA AB....
123 2.4 2.5 2.6 1.0 ....89.1
124 8.6 2.6 3.6 5.7 ....
125 5.6 2.55 4.6 12.1....

And I want a table that shows the ranges of each value, such as in:

 | stats min(A) as minA max(A) as  maxA|eval rangeA=min(A)+" to "+maxA

Would look like:

minA    maxA     rangeA
2.4        8.6         2.6 to 8.6

I do not know how many fields are going to be in this data set in advance but I want that range for all of them, A thru however many there are. Doing that stats naming and eval isn't going to work because I can't predefine how many fields there are. I found I can get the min, max, and max-min using:

 |stats min() max() range()

However, this results in 3x the number of fields I want and a goofy sort of the columns.

The ultimate goal is to drop the fields min(A) max(A) and just display the range in the human readable form "2.6 to 8.6"
|stats.... |fields - min() max()
or something like that

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-15-2018 07:59 AM

You need foreach command here to dynamically process fields.

your current search giving fields: SensorNo A B C D....Z AA AB.... 
| stats min(*) as min* max(*) as max*
| foreach min* [| eval "range<<MATCHSTR>>"='max<<MATCHSTR>>'." to ".'min<<MATCHSTR>>' ]
| table range*

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-15-2018 07:59 AM

You need foreach command here to dynamically process fields.

your current search giving fields: SensorNo A B C D....Z AA AB.... 
| stats min(*) as min* max(*) as max*
| foreach min* [| eval "range<<MATCHSTR>>"='max<<MATCHSTR>>'." to ".'min<<MATCHSTR>>' ]
| table range*
0 Karma
Reply
Solved! Jump to solution

grantsmiley
Path Finder
‎06-15-2018 08:05 AM

That works beautifully... thank you. I'm not sure why, but I will have to read about that part.

0 Karma
Reply
Solved! Jump to solution

grantsmiley
Path Finder
‎06-15-2018 07:23 AM

Another query that describes what I want, but this one doesn't work:
|stats min() as min* max() as max* by Spread |eval range*=max*-min*

gives an error on the eval piece, stats part works well.

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-15-2018 07:56 AM

I think you have your syntax incorrect. Try:

| stats min(*) as min* by Spread

I'm not sure about the eval portion, but start with this for now. I can test the other bit out later.

0 Karma
Reply
Solved! Jump to solution

grantsmiley
Path Finder
‎06-15-2018 08:00 AM

It works with or without the * inside the min() parenthesis, splunk documentation for aggregate functions indicates to not use the star so I didn't. That part works fine, the range piece is what I haven't been able to figure out.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...