Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my rangemap search so that ranges will display as table columns?

cstarling
Explorer
‎03-27-2017 09:30 AM

Hello! I am using Splunk to correlate packet statistics. In a log we have the following fields: sencore_iat and sencore_uncorrected_packets. Our goal is to map a sencore_iat range to the total amount of uncorrected packets per host. We are looking to make a table like below. Lets say iat_range1 is IAT zero to 1 and iat_range2 is IAT from 1 to 5

host | count(iat_in_range1) | total_uncorrected_packets_for_this_host_with_iat_range1 | count(iat_in_range2) | total_uncorrected_packets_for_this_host_with_iat_range2 .

Here is what I have so far: 

myBaseSeach| 
rangemap field=sencore_iat "0 to 1"=0-1 "1 to 5"=1-5 default="other" | 
stats 
count(sencore_iat) as total_occurances_of_iat
sum(sencore_uncorrected_packets) as sum_of_all_uncorreted_packets
by range,  host

This search gives the correct data, however it is not how we want it displayed. This search gives us the iat ranges from the rangemap command in a row, and we are looking to have each iat range from the rangemap command as a column. I am wondering is this possible using the rangemap command?

Please let me know if the question is unclear, or if I should not even be using the rangemap command. Any help would be greatly appreciated!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-27-2017 10:46 AM

Simply change stats to chart and make it BY host range instead of BY range host.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-27-2017 10:49 AM

This makes random test data ...

| makeresults | eval host="a a a a a a a a b b b b b b b b c c c c c c c c c d d d d d" 
| makemv host 
| mvexpand host
| eval rand=random()%100

This maps the data , sorts the ranges to the desired order, produces the chart with columns as requested, then renames the columns to the desired names.

| rangemap field=rand rangeA=0-40 rangeB=41-80 default=rangeC 
| rename range as myrange 
| stats count as mycount sum(rand) as mysum by myrange host 
| chart sum(mysum) over host by myrange
| rename rangeA as "0 to 1", rangeB as "1 to 5", rangeC as "other"
Reply
Solved! Jump to solution

cstarling
Explorer
‎03-27-2017 11:20 AM

This also works nicely. I accepted the other answer simply because it was 3 mins quicker 🙂

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-28-2017 07:00 AM

Heh. Serves me right for testing my code. 😉

It's no big deal which one gets accepted or upvoted, just so you got what you needed.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-27-2017 10:46 AM

Simply change stats to chart and make it BY host range instead of BY range host.

0 Karma
Reply
Solved! Jump to solution

cstarling
Explorer
‎03-27-2017 11:13 AM

this works nicely. Is there a way to change the order of the columns that are spit out by the chart command?

0 Karma
Reply
Solved! Jump to solution

cstarling
Explorer
‎03-27-2017 11:19 AM

I got it with a simple table command. Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...