Splunk Search

How to apply a rangemap to string values?

butzowj
Path Finder

Hi Splunkers!

I am running the following search to try and apply a "low" rangemap value if a string matches "up", and a "severe" rangemap value if the string matches "down", but I can' t get the eval field to show in the search results.

Here is the search I am using:

index=f5 pool | head 1 | eval alert_level = case(F5_TCPStatus=="up",1,F5_TCPStatus=="down",0) | rangemap field=alert_level low=1-1 elevated=2-2 severe=3-3

Thanks for any help!

JB

0 Karma
1 Solution

sundareshr
Legend

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

View solution in original post

sundareshr
Legend

Since you are forcing the values for alert why not make sure they fall within the range. Something like

 |  eval alert_level = case(F5_TCPStatus="up",5,F5_TCPStatus="down",15,1=1, 25) | rangemap field=alert_level  low=1-10 elevated=11-20 severe=21-30

butzowj
Path Finder

Thanks for the help Sunda, I actually ended up using the if function to do what I needed, as below:

index=f5 pool rtlvpxaw01 | head 1 | eval status=if(F5_TCPStatus="up",10,0) | stats sum(status) AS severity | rangemap field=severity severe=0-9 low=10-11 default=elevated

Cheers,
JB

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...