Splunk Search

help on rangemap command with loadjob

jip31
Motivator

Hi

I use the search below in order to display GOOD or BAD in a panel
When I execute the query i have a result
But I call this search from a loadjob command and I have never results

eventtype=Charge AND (NOT host=E* AND NOT
 host=I*)
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time 
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity) 
| eval Status=if(Wear_Rate>5, "GOOD", "BAD") 
| table Status


| loadjob savedsearch="admin:XX:FO_BatteryHealth_Status" 
| table Status 
| eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded

Could you help me please???

Tags (1)
0 Karma
1 Solution

ashajambagi
Communicator

Try using this

| savedsearch "admin:XX:FO_BatteryHealth_Status" 
     | table Status 
     | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
     | rangemap field=severity low=0-0 severe=1-1 default=guarded

View solution in original post

0 Karma

vinod94
Contributor

Hey dyude @jip31 ,

If you are running this search | loadjob savedsearch="admin:XX:FO_BatteryHealth_Status" .. please check the app OR report name, might be a spelling issue

if its coming in a normal search, then it should come with loadjob also ..may be you are missing out something

OR

Ders another way you can run a savedsearch with loadjob command, ie with the search_id

Just open the report name in search and then inspect job ... in the job inspector URL you will find sid=blahblah

|loadjob blahblah

You can refer this doc

https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Loadjob

Let me know if this works!

0 Karma

ashajambagi
Communicator

Try using this

| savedsearch "admin:XX:FO_BatteryHealth_Status" 
     | table Status 
     | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
     | rangemap field=severity low=0-0 severe=1-1 default=guarded
0 Karma

jip31
Motivator

no it doesnt works....

0 Karma

ashajambagi
Communicator

Can you tell the error you are getting when you run the search?

0 Karma

jip31
Motivator

I have no errors its just empty

0 Karma

ashajambagi
Communicator

Try running the query line by line,let me know when you are not able to see the results.
/or share a sample event

0 Karma

ashajambagi
Communicator
 | savedsearch "FO_BatteryHealth_Status" 
      | table Status 
      | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
      | rangemap field=severity low=0-0 severe=1-1 default=guarded

Try this

0 Karma

jip31
Motivator

Nothing...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...