Splunk Search

How to apply a rangemap to string values?

butzowj
Path Finder

Hi Splunkers!

I am running the following search to try and apply a "low" rangemap value if a string matches "up", and a "severe" rangemap value if the string matches "down", but I can' t get the eval field to show in the search results.

Here is the search I am using:

index=f5 pool | head 1 | eval alert_level = case(F5_TCPStatus=="up",1,F5_TCPStatus=="down",0) | rangemap field=alert_level low=1-1 elevated=2-2 severe=3-3

Thanks for any help!

JB

0 Karma
1 Solution

sundareshr
Legend

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

View solution in original post

sundareshr
Legend

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

butzowj
Path Finder

Thanks for the help Sunda, I actually ended up using the if function to do what I needed, as below:

index=f5 pool rtlvpxaw01 | head 1 | eval status=if(F5_TCPStatus="up",10,0) | stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

Cheers,
JB

Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...