Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use span in a non fixed/non logarithmic man...

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

How to use span in a non fixed/non logarithmic manner

asherman

Path Finder

08-18-2014
01:51 PM

Hi,

I am trying to represent the distribution of the error of my data in 5/10% increments. Since the error ranges as much as 1000%, this makes the labels unreadable and the graph too contracted around the region of interest (near 0%). I have tried using the "span=" syntax, but can't seem to figure out how to have span=0.05 with a barrier such that everything >1 or <-1 is placed in the same group.

My brute force attempt works, but it is quite tedious to modify, and I think there must be a better way:

index=test

index3 maxerr=* AND

NOT(maxerr=nan)err "<1.0"=-100000--1

| rangemap field=max

"-1.0<-0.9"=-1--0.9

"-0.9<-0.8"=-0.9--0.8

"-0.8<-0.7"=-0.8--0.7

"-0.7<-0.6"=-0.7--0.6

"-0.6<-0.5"=-0.6--0.5

"-0.5<-0.4"=-0.5--0.4

"-0.4<-0.3"=-0.4--0.3

"-0.3<-0.2"=-0.3--0.2

"-0.2<-0.1"=-0.2--0.1 "-0.1<0"=-0.1-0

"0<0.1"=0-0.1 "0.1<0.2"=0.1-0.2

"0.2<0.3"=0.2-0.3 "0.3<0.4"=0.3-0.4

"0.4<0.5"=0.4-0.5 "0.5<0.6"=0.5-0.6

"0.6<0.7"=0.6-0.7 "0.7<0.8"=0.7-0.8

"0.8<0.9"=0.8-0.9 "0.9<1.0"=0.9-1.0

">1.0"=1-100000 default="nan" | stats count by range

| eval order = if(range="0<0.1",0,

if(range="0.1<0.2",1,

if(range="0.2<0.3",2,

if(range="0.3<0.4",3,

if(range="0.4<0.5",4,

if(range="0.5<0.6",5,

if(range="0.6<0.7",6,

if(range="0.7<0.8",7,

if(range="0.8<0.9",8,

if(range="0.9<1.0",9,

if(range=">1.0",10,

if(range="-1.0<-0.9",-10,

if(range="-0.9<-0.8",-9,

if(range="-0.8<-0.7",-8,

if(range="-0.7<-0.6",-7,

if(range="-0.6<-0.5",-6,

if(range="-0.5<-0.4",-5,

if(range="-0.4<-0.3",-4,

if(range="-0.3<-0.2",-3,

if(range="-0.2<-0.1",-2,

if(range="-0.1<0",-1,

if(range="<1.0",-11,

-12)))))))))))))))))))))) | sort + order | fields - order

Data is all of the form "...max*err={float}...", e.g., max*err=-0.503.

Thanks.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How to use span in a non fixed/non logarithmic manner

somesoni2

SplunkTrust

08-19-2014
07:21 AM

Try this.

```
index=test_index3 max_err=* AND NOT(max_err=nan)
| eval sno=mvrange(-1,1,0.1) | mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno)
| eval include=if(max_err<0,if(max_err<=sno,"Y","N"),if(max_err>=sno,"Y","N"))
| where include="Y" | streamstats count as counter by max_err | eventstats max(counter) as maxCount by max_err | where (max_err<0 AND counter=1) OR (max_err>0 AND counter=maxCount) OR (max_err=0 AND abs(sno)=0.0) | table max_err sno | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1) | eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno) | stats count by range | append [|gentimes start=-1 | eval sno=mvrange(-1,1,0.1)| table sno| mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno) | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1)| eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno) | table range | eval count=0]
| stats sum(count) as count by range
| rex field=range "(?<range>.*)#(?<order>.*)" | sort order | fields - order
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How to use span in a non fixed/non logarithmic manner

asherman

Path Finder

08-19-2014
07:57 AM

Thanks! This works, but it's also a lot more CPU/time costly than the approach I had above. It's also not much shortened as I had hoped.

Could you clarify for me the purpose of the append? It makes me think of another approach where I use span for the -1-1 range, and append the extremes, something like:

| where max*err>-1
| where max*err<1

| chart count by max_err span=0.1

| append [ ... | where max_err>1 | chart count max

| append [ ... | where max

This requires extra searches though, which I prefer to avoid.