Splunk Search

What's wrong with my rangemap?

a212830
Champion

Hi,

I'm trying out some searches learned at .conf. This one is supposed to provide lag info for indexing delays. Unfortunately, I can't get it to work. Any help is appreciated.

| metadata type=hosts   
| eval seconds_lag=(recentTime -lastTime)
| convert ctime(lastTime) as LastTime
| convert ctime(firstTime) as FirstTime
| convert ctime(recentTime) as IndexTime
| rangemap field=seconds_lag low=0-1800 elevated=1801-3600
| fields host,FirstTime,LastTime,IndexTime,seconds_lag,range
Tags (2)
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Also, depending on permissions, you may need to add indexes=* to your first line.

For example, you could go so far as starting with the new line:

| metadata type=hosts ( index=* OR index=_* )
0 Karma

maciep
Champion

Just a long shot, but did you copy and paste this search from somewhere else? Wondering if maybe the dash is like a long dash or something along those lines. If you typed it out yourself in the search bar, then that shouldn't be a problem.

MuS
Legend

This the answer, because the Em dash will cause this error. You can test it with the two following searches:

working:

| metadata type=hosts    
 | eval seconds_lag=(recentTime -lastTime)
 | convert ctime(lastTime) as LastTime
 | convert ctime(firstTime) as FirstTime
 | convert ctime(recentTime) as IndexTime
 | rangemap field=seconds_lag low=0-1800 elevated=1801-3600
 | fields host,FirstTime,LastTime,IndexTime,seconds_lag,range

not working:

| metadata type=hosts    
 | eval seconds_lag=(recentTime -lastTime)
 | convert ctime(lastTime) as LastTime
 | convert ctime(firstTime) as FirstTime
 | convert ctime(recentTime) as IndexTime
 | rangemap field=seconds_lag low=0—1800 elevated=1801—3600
 | fields host,FirstTime,LastTime,IndexTime,seconds_lag,range

Returns the error Error in 'rangemap' command: Invalid range: '0—1800'. '-' expected. because of the Em dash http://www.thepunctuationguide.com/em-dash.html

cheers, MuS

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Odd - 6.3.0 here.

Try one of the examples from http://docs.splunk.com/Documentation/Splunk/6.1.9/SearchReference/rangemap to narrow it down, if those work then modify from there.

0 Karma

badrinath_itrs
Communicator

The rangemap command works fine with my splunk version 6.2.3 . Alternatively you can try with case statement for your requirement.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That query seems to work for me. What results are you getting that appear wrong?

0 Karma

a212830
Champion

I get:

Error in 'rangemap' command: Invalid range: '0-1800 elevated=1801-3600'. '-' expected.

I am running Splunk 6.1.9

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...