Solved: How to apply a rangemap to string values?

butzowj · ‎12-04-2015

Hi Splunkers!

I am running the following search to try and apply a "low" rangemap value if a string matches "up", and a "severe" rangemap value if the string matches "down", but I can' t get the eval field to show in the search results.

Here is the search I am using:

index=f5 pool | head 1 | eval alert_level = case(F5_TCPStatus=="up",1,F5_TCPStatus=="down",0) | rangemap field=alert_level low=1-1 elevated=2-2 severe=3-3

Thanks for any help!

JB

sundareshr · ‎12-04-2015

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

View solution in original post

sundareshr · ‎12-04-2015

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

butzowj · ‎12-04-2015

Thanks for the help Sunda, I actually ended up using the if function to do what I needed, as below:

index=f5 pool rtlvpxaw01 | head 1 | eval status=if(F5_TCPStatus="up",10,0) | stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

Cheers,
JB

How to apply a rangemap to string values?

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Are you a member of the Splunk Community?

How to apply a rangemap to string values?

Splunk ITSI & Correlated Network Visibility

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust