Re: How to use span in a non fixed/non logarithmic...

asherman · ‎08-18-2014

Hi,

I am trying to represent the distribution of the error of my data in 5/10% increments. Since the error ranges as much as 1000%, this makes the labels unreadable and the graph too contracted around the region of interest (near 0%). I have tried using the "span=" syntax, but can't seem to figure out how to have span=0.05 with a barrier such that everything >1 or <-1 is placed in the same group.

My brute force attempt works, but it is quite tedious to modify, and I think there must be a better way:

index=test_index3 max_err=* AND
NOT(max_err=nan)
| rangemap field=max_err "<1.0"=-100000--1
"-1.0<-0.9"=-1--0.9
"-0.9<-0.8"=-0.9--0.8
"-0.8<-0.7"=-0.8--0.7
"-0.7<-0.6"=-0.7--0.6
"-0.6<-0.5"=-0.6--0.5
"-0.5<-0.4"=-0.5--0.4
"-0.4<-0.3"=-0.4--0.3
"-0.3<-0.2"=-0.3--0.2
"-0.2<-0.1"=-0.2--0.1 "-0.1<0"=-0.1-0
"0<0.1"=0-0.1 "0.1<0.2"=0.1-0.2
"0.2<0.3"=0.2-0.3 "0.3<0.4"=0.3-0.4
"0.4<0.5"=0.4-0.5 "0.5<0.6"=0.5-0.6
"0.6<0.7"=0.6-0.7 "0.7<0.8"=0.7-0.8
"0.8<0.9"=0.8-0.9 "0.9<1.0"=0.9-1.0
">1.0"=1-100000 default="nan" | stats count by range
| eval order = if(range="0<0.1",0,
if(range="0.1<0.2",1,
if(range="0.2<0.3",2,
if(range="0.3<0.4",3,
if(range="0.4<0.5",4,
if(range="0.5<0.6",5,
if(range="0.6<0.7",6,
if(range="0.7<0.8",7,
if(range="0.8<0.9",8,
if(range="0.9<1.0",9,
if(range=">1.0",10,
if(range="-1.0<-0.9",-10,
if(range="-0.9<-0.8",-9,
if(range="-0.8<-0.7",-8,
if(range="-0.7<-0.6",-7,
if(range="-0.6<-0.5",-6,
if(range="-0.5<-0.4",-5,
if(range="-0.4<-0.3",-4,
if(range="-0.3<-0.2",-3,
if(range="-0.2<-0.1",-2,
if(range="-0.1<0",-1,
if(range="<1.0",-11,
-12)))))))))))))))))))))) | sort + order | fields - order

Data is all of the form "...max_err={float}...", e.g., max_err=-0.503.

Thanks.

somesoni2 · ‎08-19-2014

Try this.

index=test_index3 max_err=* AND NOT(max_err=nan) 
| eval sno=mvrange(-1,1,0.1) | mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno)
| eval include=if(max_err<0,if(max_err<=sno,"Y","N"),if(max_err>=sno,"Y","N")) 
| where include="Y" | streamstats count as counter by max_err | eventstats max(counter) as maxCount by max_err | where (max_err<0 AND counter=1) OR (max_err>0 AND counter=maxCount) OR (max_err=0 AND abs(sno)=0.0) | table max_err sno | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1) | eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno)  | stats count by range | append [|gentimes start=-1 | eval sno=mvrange(-1,1,0.1)| table sno| mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno) | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1)| eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno) | table range | eval count=0]
| stats sum(count) as count by range
| rex field=range "(?<range>.*)#(?<order>.*)" | sort order | fields - order

asherman · ‎08-19-2014

Thanks! This works, but it's also a lot more CPU/time costly than the approach I had above. It's also not much shortened as I had hoped.

This requires extra searches though, which I prefer to avoid.

How to use span in a non fixed/non logarithmic manner

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...