Solved: How to replace a field's contents based on their n...

GenericSplunkUs · ‎06-29-2017

I'm trying to replace the contents of a field to the severity based on the number (I.E. 0 to 19 with Low, 20 to 39 with Medium).

The field can have the numbers 1 to 99 in them and I want the output to display the severity in text.

Low (0 to 19),
Medium (20 to 39),
High (40 to 59),
Critical (60 to 79),
Emergency (80 to 99)

I've tried rex=Severity mode=sed "s/1/Low/g" and it'll work but I need to do a range from 0 to 19. All 99 in a rex style goes over the allowed search characters.

How would I achieve this?

richgalloway · ‎06-29-2017

Check out the rangemap command.

... | rangemap field=Severity Low=0-19 Medium=20-39 High=40-50 Critical=60-79 Emergency=80-99 | table range

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-29-2017

Check out the rangemap command.

... | rangemap field=Severity Low=0-19 Medium=20-39 High=40-50 Critical=60-79 Emergency=80-99 | table range

---
If this reply helps you, Karma would be appreciated.

GenericSplunkUs · ‎06-29-2017

Worked perfectly, Thank you.

How to replace a field's contents based on their number?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!