How do I modify my search to output results in cer...

tanhadil4vr · ‎01-11-2016

Hi Everyone,

I have this query which is running and giving me the difference of errors from yesterday and today based on Name, but need a little help in modifying it.

earliest="-1500m@m" latest="-1440m@m" index=Test host=* | chart count(Errors) as "Yesterday" by Name | join type=outer Name [search index=Test host=* earliest =-60m@m latest=now | chart count(Errors) as "Today" by Name] | eval errDiff=(((Today-Yesterday)/Yesterday)*100) . "%" | sort -Yesterday

It is giving the desired result.
But now I want to get the result based on the % of errors.

For e.g
errDiff 0-24 must be GREEN
errDiff 25-49 must be YELLOW
errDiff >50 must be RED

earliest="-1500m@m" latest="-1440m@m" index=Test host=* | chart count(Errors) as "Yesterday" by Name | join type=outer Name [search index=Test host=* earliest =-60m@m latest=now | chart count(Errors) as "Today" by Name] | eval errDiff=(((Today-Yesterday)/Yesterday)*100) | eval errDiff=case(errDiff>=0 AND errDiff<25, "GREEN", errDiff>=25 AND errDiff<50, "YELLOW", errDiff>=50, "RED") | sort -Yesterday

This one is coming perfectly, but it is not showing the errDiff %. I need errDiff % as well as the classification based on color...

Any leads?

TIA

sundareshr · ‎01-11-2016

Have you considered the rangemap command? http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Rangemap

How do I modify my search to output results in certain colors based on different ranges of percentage values?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor