Splunk Search

How to use span in a non fixed/non logarithmic manner

asherman
Path Finder

Hi,

I am trying to represent the distribution of the error of my data in 5/10% increments. Since the error ranges as much as 1000%, this makes the labels unreadable and the graph too contracted around the region of interest (near 0%). I have tried using the "span=" syntax, but can't seem to figure out how to have span=0.05 with a barrier such that everything >1 or <-1 is placed in the same group.

My brute force attempt works, but it is quite tedious to modify, and I think there must be a better way:

index=test_index3 max_err=* AND
NOT(max_err=nan)
| rangemap field=max_err "<1.0"=-100000--1
"-1.0<-0.9"=-1--0.9
"-0.9<-0.8"=-0.9--0.8
"-0.8<-0.7"=-0.8--0.7
"-0.7<-0.6"=-0.7--0.6
"-0.6<-0.5"=-0.6--0.5
"-0.5<-0.4"=-0.5--0.4
"-0.4<-0.3"=-0.4--0.3
"-0.3<-0.2"=-0.3--0.2
"-0.2<-0.1"=-0.2--0.1 "-0.1<0"=-0.1-0
"0<0.1"=0-0.1 "0.1<0.2"=0.1-0.2
"0.2<0.3"=0.2-0.3 "0.3<0.4"=0.3-0.4
"0.4<0.5"=0.4-0.5 "0.5<0.6"=0.5-0.6
"0.6<0.7"=0.6-0.7 "0.7<0.8"=0.7-0.8
"0.8<0.9"=0.8-0.9 "0.9<1.0"=0.9-1.0
">1.0"=1-100000 default="nan" | stats count by range
| eval order = if(range="0<0.1",0,
if(range="0.1<0.2",1,
if(range="0.2<0.3",2,
if(range="0.3<0.4",3,
if(range="0.4<0.5",4,
if(range="0.5<0.6",5,
if(range="0.6<0.7",6,
if(range="0.7<0.8",7,
if(range="0.8<0.9",8,
if(range="0.9<1.0",9,
if(range=">1.0",10,
if(range="-1.0<-0.9",-10,
if(range="-0.9<-0.8",-9,
if(range="-0.8<-0.7",-8,
if(range="-0.7<-0.6",-7,
if(range="-0.6<-0.5",-6,
if(range="-0.5<-0.4",-5,
if(range="-0.4<-0.3",-4,
if(range="-0.3<-0.2",-3,
if(range="-0.2<-0.1",-2,
if(range="-0.1<0",-1,
if(range="<1.0",-11,
-12)))))))))))))))))))))) | sort + order | fields - order

Data is all of the form "...max_err={float}...", e.g., max_err=-0.503.

Thanks.

Tags (1)
0 Karma

somesoni2
Revered Legend

Try this.

index=test_index3 max_err=* AND NOT(max_err=nan) 
| eval sno=mvrange(-1,1,0.1) | mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno)
| eval include=if(max_err<0,if(max_err<=sno,"Y","N"),if(max_err>=sno,"Y","N")) 
| where include="Y" | streamstats count as counter by max_err | eventstats max(counter) as maxCount by max_err | where (max_err<0 AND counter=1) OR (max_err>0 AND counter=maxCount) OR (max_err=0 AND abs(sno)=0.0) | table max_err sno | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1) | eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno)  | stats count by range | append [|gentimes start=-1 | eval sno=mvrange(-1,1,0.1)| table sno| mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno) | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1)| eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno) | table range | eval count=0]
| stats sum(count) as count by range
| rex field=range "(?<range>.*)#(?<order>.*)" | sort order | fields - order

asherman
Path Finder

Thanks! This works, but it's also a lot more CPU/time costly than the approach I had above. It's also not much shortened as I had hoped.

Could you clarify for me the purpose of the append? It makes me think of another approach where I use span for the -1-1 range, and append the extremes, something like:
| where max_err>-1
| where max_err<1
| chart count by max_err span=0.1
| append [ ... | where max_err>1 | chart count max_err as ">1"]
| append [ ... | where max_err<-1 | chart count max_err as "<-1"]

This requires extra searches though, which I prefer to avoid.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...