Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you use the rangemap and metadata commands in Splunk?

pavanae
Builder
‎11-27-2017 04:21 PM

I'm trying to understand the usage of rangemap and metadata commands in splunk. I have gone through some documentation but haven't got the complete picture of those commands. It would be really helpfull if anyone can provide some information related to those commands.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-27-2017 11:12 PM

Hi
Have you tried these Splunk docs?

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rangemap

Please go to these docs and let me know you need more understanding.

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-28-2017 10:14 AM

For a good use of metadata, check out Meta Woot! app: https://splunkbase.splunk.com/app/2949/
It helps to know this (I think it should be on this page somewhere besides the comment section):

The metadata command is essentially a macro around tstats. For the clueful, I will translate:
The firstTime field is min(_time).
The lastTime field is max(_time).
The recentTime field is max(_indextime).

I commented about this here:
https://answers.splunk.com/answers/567047/metadata-showing-wrong-last-indexed-time.html?childToView=...

As far as rangemap, again, it helps to translate it to the basic commands that it uses to do what it does. Looking at the examples on the docs page:
Example 1:

... | rangemap field=date_second green=1-30 blue=31-39 red=40-59 default=gray

Is the same as this:

... | eval range=case(
      date_second>=1 AND date_second<=30, "green",
      date_second>=31 AND date_second<=39, "blue",
      date_second>=40 AND date_second<=59, "red",
      true(), "gray")

Example 2:

... | rangemap field=count low=0-0 elevated=1-100 default=severe

Is the same as this:

... | eval range=case(
      count>=0 AND count<=0, "low",
      count>=1 AND count<=100, "elevated",
      true(), "severe")
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-27-2017 11:12 PM

Hi
Have you tried these Splunk docs?

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rangemap

Please go to these docs and let me know you need more understanding.

Thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-28-2017 02:21 AM

@kamlesh_vaghela, I think you posted it too fast... You have provided a link to Metasearch instead of metadata command

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-28-2017 02:46 AM

@niketnilay, ooh, my mistake. Answer updated.
Thanks for the correction.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...