Splunk Search

help on rangemap command with loadjob

jip31
Motivator

Hi

I use the search below in order to display GOOD or BAD in a panel
When I execute the query i have a result
But I call this search from a loadjob command and I have never results

eventtype=Charge AND (NOT host=E* AND NOT
 host=I*)
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time 
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity) 
| eval Status=if(Wear_Rate>5, "GOOD", "BAD") 
| table Status


| loadjob savedsearch="admin:XX:FO_BatteryHealth_Status" 
| table Status 
| eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded

Could you help me please???

Tags (1)
0 Karma
1 Solution

ashajambagi
Communicator

Try using this

| savedsearch "admin:XX:FO_BatteryHealth_Status" 
     | table Status 
     | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
     | rangemap field=severity low=0-0 severe=1-1 default=guarded

View solution in original post

0 Karma

vinod94
Contributor

Hey dyude @jip31 ,

If you are running this search | loadjob savedsearch="admin:XX:FO_BatteryHealth_Status" .. please check the app OR report name, might be a spelling issue

if its coming in a normal search, then it should come with loadjob also ..may be you are missing out something

OR

Ders another way you can run a savedsearch with loadjob command, ie with the search_id

Just open the report name in search and then inspect job ... in the job inspector URL you will find sid=blahblah

|loadjob blahblah

You can refer this doc

https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Loadjob

Let me know if this works!

0 Karma

ashajambagi
Communicator

Try using this

| savedsearch "admin:XX:FO_BatteryHealth_Status" 
     | table Status 
     | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
     | rangemap field=severity low=0-0 severe=1-1 default=guarded
0 Karma

jip31
Motivator

no it doesnt works....

0 Karma

ashajambagi
Communicator

Can you tell the error you are getting when you run the search?

0 Karma

jip31
Motivator

I have no errors its just empty

0 Karma

ashajambagi
Communicator

Try running the query line by line,let me know when you are not able to see the results.
/or share a sample event

0 Karma

ashajambagi
Communicator
 | savedsearch "FO_BatteryHealth_Status" 
      | table Status 
      | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
      | rangemap field=severity low=0-0 severe=1-1 default=guarded

Try this

0 Karma

jip31
Motivator

Nothing...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...