Solved: help on rangemap command with loadjob

jip31 · ‎02-21-2019

Hi

I use the search below in order to display GOOD or BAD in a panel
When I execute the query i have a result
But I call this search from a loadjob command and I have never results

eventtype=Charge AND (NOT host=E* AND NOT
 host=I*)
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time 
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity) 
| eval Status=if(Wear_Rate>5, "GOOD", "BAD") 
| table Status


| loadjob savedsearch="admin:XX:FO_BatteryHealth_Status" 
| table Status 
| eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded

Could you help me please???

ashajambagi · ‎02-21-2019

Try using this

| savedsearch "admin:XX:FO_BatteryHealth_Status" 
     | table Status 
     | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
     | rangemap field=severity low=0-0 severe=1-1 default=guarded

View solution in original post

vinod94 · ‎02-23-2019

Hey dyude @jip31 ,

If you are running this search | loadjob savedsearch="admin:XX:FO_BatteryHealth_Status" .. please check the app OR report name, might be a spelling issue

if its coming in a normal search, then it should come with loadjob also ..may be you are missing out something

OR

Ders another way you can run a savedsearch with loadjob command, ie with the search_id

Just open the report name in search and then inspect job ... in the job inspector URL you will find sid=blahblah

|loadjob blahblah

You can refer this doc

https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Loadjob

Let me know if this works!

ashajambagi · ‎02-21-2019

Try using this

| savedsearch "admin:XX:FO_BatteryHealth_Status" 
     | table Status 
     | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
     | rangemap field=severity low=0-0 severe=1-1 default=guarded

jip31 · ‎02-21-2019

no it doesnt works....

ashajambagi · ‎02-21-2019

Can you tell the error you are getting when you run the search?

jip31 · ‎02-22-2019

I have no errors its just empty

ashajambagi · ‎02-23-2019

Try running the query line by line,let me know when you are not able to see the results.
/or share a sample event

ashajambagi · ‎02-21-2019

 | savedsearch "FO_BatteryHealth_Status" 
      | table Status 
      | eval severity=case(Status="GOOD", 0, Status="BAD", 1, true(), 999) 
      | rangemap field=severity low=0-0 severe=1-1 default=guarded

Try this

jip31 · ‎02-22-2019

Nothing...

help on rangemap command with loadjob

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation