Hi Everyone,
I have this query which is running and giving me the difference of errors from yesterday and today based on Name, but need a little help in modifying it.
earliest="-1500m@m" latest="-1440m@m" index=Test host=* | chart count(Errors) as "Yesterday" by Name | join type=outer Name [search index=Test host=* earliest =-60m@m latest=now | chart count(Errors) as "Today" by Name] | eval errDiff=(((Today-Yesterday)/Yesterday)*100) . "%" | sort -Yesterday
It is giving the desired result.
But now I want to get the result based on the % of errors.
For e.g
errDiff 0-24 must be GREEN
errDiff 25-49 must be YELLOW
errDiff >50 must be RED
earliest="-1500m@m" latest="-1440m@m" index=Test host=* | chart count(Errors) as "Yesterday" by Name | join type=outer Name [search index=Test host=* earliest =-60m@m latest=now | chart count(Errors) as "Today" by Name] | eval errDiff=(((Today-Yesterday)/Yesterday)*100) | eval errDiff=case(errDiff>=0 AND errDiff<25, "GREEN", errDiff>=25 AND errDiff<50, "YELLOW", errDiff>=50, "RED") | sort -Yesterday
This one is coming perfectly, but it is not showing the errDiff %. I need errDiff % as well as the classification based on color...
Any leads?
TIA
Have you considered the rangemap
command? http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Rangemap