Splunk Search

How to apply a rangemap to string values?

butzowj
Path Finder

Hi Splunkers!

I am running the following search to try and apply a "low" rangemap value if a string matches "up", and a "severe" rangemap value if the string matches "down", but I can' t get the eval field to show in the search results.

Here is the search I am using:

index=f5 pool | head 1 | eval alert_level = case(F5_TCPStatus=="up",1,F5_TCPStatus=="down",0) | rangemap field=alert_level low=1-1 elevated=2-2 severe=3-3

Thanks for any help!

JB

0 Karma
1 Solution

sundareshr
Legend

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

View solution in original post

sundareshr
Legend

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

butzowj
Path Finder

Thanks for the help Sunda, I actually ended up using the if function to do what I needed, as below:

index=f5 pool rtlvpxaw01 | head 1 | eval status=if(F5_TCPStatus="up",10,0) | stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

Cheers,
JB

Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...