Solved: Using parameters in rangemap

stefano_guidoba · ‎12-13-2012

Hi,

what I want to achieve is a dynamic (datetime based) rangemap of an application's exceptions. So, instead of terminating my search with a simple

... | rangemap low=0-100 elevated=101-200 default=severe

I would rather something like that:

... | rangemap low=0-thr elevated=thr-2*thr default=severe

where thr is a value extracted from a lookup table. Is this possible?
Regards,

Stefano

martin_mueller · ‎12-13-2012

Rangemap only takes explicit integers. However, rangemap basically only is shorthand for case:

... | eval range = case(field < low_threshold, "low", field < elevated_threshold, "elevated", field >= elevated_threshold, "severe")

Note, this is not exactly the same as the first rangemap you quote - negative values get the default from rangemap but low from this case. Just take care to specify the case conditions accurately to match your requirements.

View solution in original post

martin_mueller · ‎12-13-2012

Rangemap only takes explicit integers. However, rangemap basically only is shorthand for case:

... | eval range = case(field < low_threshold, "low", field < elevated_threshold, "elevated", field >= elevated_threshold, "severe")

Note, this is not exactly the same as the first rangemap you quote - negative values get the default from rangemap but low from this case. Just take care to specify the case conditions accurately to match your requirements.

stefano_guidoba · ‎12-13-2012

Hi Martin,

in the end I did exactly what you suggested encasing the eval command in a macro. Thanks for your suggestion,
regards

Stefano

Using parameters in rangemap

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting