Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I display ranges as text min - max?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I have data such as this:
SensorNo A B C D....Z AA AB....
123 2.4 2.5 2.6 1.0 ....89.1
124 8.6 2.6 3.6 5.7 ....
125 5.6 2.55 4.6 12.1....
And I want a table that shows the ranges of each value, such as in:
| stats min(A) as minA max(A) as maxA|eval rangeA=min(A)+" to "+maxA
Would look like:
minA maxA rangeA
2.4 8.6 2.6 to 8.6
I do not know how many fields are going to be in this data set in advance but I want that range for all of them, A thru however many there are. Doing that stats naming and eval isn't going to work because I can't predefine how many fields there are. I found I can get the min, max, and max-min using:
|stats min() max() range()
However, this results in 3x the number of fields I want and a goofy sort of the columns.
The ultimate goal is to drop the fields min(A) max(A) and just display the range in the human readable form "2.6 to 8.6"
|stats.... |fields - min() max()
or something like that
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need foreach command here to dynamically process fields.
your current search giving fields: SensorNo A B C D....Z AA AB....
| stats min(*) as min* max(*) as max*
| foreach min* [| eval "range<<MATCHSTR>>"='max<<MATCHSTR>>'." to ".'min<<MATCHSTR>>' ]
| table range*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need foreach command here to dynamically process fields.
your current search giving fields: SensorNo A B C D....Z AA AB....
| stats min(*) as min* max(*) as max*
| foreach min* [| eval "range<<MATCHSTR>>"='max<<MATCHSTR>>'." to ".'min<<MATCHSTR>>' ]
| table range*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That works beautifully... thank you. I'm not sure why, but I will have to read about that part.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another query that describes what I want, but this one doesn't work:
|stats min() as min* max() as max* by Spread |eval range*=max*-min*
gives an error on the eval piece, stats part works well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you have your syntax incorrect. Try:
| stats min(*) as min* by Spread
I'm not sure about the eval portion, but start with this for now. I can test the other bit out later.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works with or without the * inside the min() parenthesis, splunk documentation for aggregate functions indicates to not use the star so I didn't. That part works fine, the range piece is what I haven't been able to figure out.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
