- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help on rangemap command with loadjob
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I use the search below in order to display GOOD or BAD in a panel
When I execute the query i have a result
But I call this search from a loadjob command and I have never results
eventtype=Charge AND (NOT host=E* AND NOT
host=I*)
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity)
| eval Status=if(Wear_Rate>5, "GOOD", "BAD")
| table Status
| loadjob savedsearch="admin:XX:FO_BatteryHealth_Status"
| table Status
| eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999)
| rangemap field=severity low=0-0 severe=1-1 default=guarded
Could you help me please???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using this
| savedsearch "admin:XX:FO_BatteryHealth_Status"
| table Status
| eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999)
| rangemap field=severity low=0-0 severe=1-1 default=guarded
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey dyude @jip31 ,
If you are running this search | loadjob savedsearch="admin:XX:FO_BatteryHealth_Status" .. please check the app OR report name, might be a spelling issue
if its coming in a normal search, then it should come with loadjob also ..may be you are missing out something
OR
Ders another way you can run a savedsearch with loadjob command, ie with the search_id
Just open the report name in search and then inspect job ... in the job inspector URL you will find sid=blahblah
|loadjob blahblah
You can refer this doc
https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Loadjob
Let me know if this works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using this
| savedsearch "admin:XX:FO_BatteryHealth_Status"
| table Status
| eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999)
| rangemap field=severity low=0-0 severe=1-1 default=guarded
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no it doesnt works....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you tell the error you are getting when you run the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have no errors its just empty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try running the query line by line,let me know when you are not able to see the results.
/or share a sample event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| savedsearch "FO_BatteryHealth_Status"
| table Status
| eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999)
| rangemap field=severity low=0-0 severe=1-1 default=guarded
Try this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nothing...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
