why is Rangemap giving different results based on ...

srichansen · ‎11-17-2017

Hi all,

I have a search with a rangemap that groups based on seconds.
The smallest and first grouping is for a range of less then 30 sec. The label is "<30" with the values being from 0 - 30.
This "label" gives a different result than the label "0-30".

Here are the two examples with results:

*| rangemap field=middle
"<30m"=0-30
"30-60m"=30-60
"1-2u"=60-120
"2-4u"=120-240

"range": "<30m",
"totalTransactions": "12568"*

*| rangemap field=middle
"0-30m"=0-30
"30-60m"=30-60
"1-2u"=60-120
"2-4u"=120-240

"range": "0-30m",
"totalTransactions": "12913"*

Has anyone experienced this before or know a solution?

thanks in advanced,
Simon

niketn · ‎05-16-2018

@srichansen I have tested with case() evaluation function and rangemap command that whether there are special characters in range label or not, the range value remains the same. PS: rangemap did not accept equal to character =.

So makes me think, is it possible that the latency values were actually changing when you were trying to re-run the search with special characters in the range label?

Please find a run any where example based on Splunk's _internal index for previous day data so that values do not change (I am using date_second as latency to get dummy data between 1-60)

index=_internal sourcetype=splunkd log_level!="INFO" earliest=-1d@d latest=-0d@d-1s 
| stats min(date_second) as latency by component
| rangemap field=latency "lt 10"=0-10 "gt 10 and lt.eq 30"=10-30 "gt 30 and lt.eq 45"=30-45 "gt 45 and lt.eq 60"=45-60 
| rename range as rangeWithRangeMapAndAlphaCharacters
| rangemap field=latency "<10"=0-10 ">10 & <30"=10-30 ">30 & <45"=30-45 ">45 & <60"=45-60
| rename range as rangeWithRangeMapAndSpecialCharacters
| eval rangeWithCaseAndAlphaCharacters=case(latency<=10,"lt 10",latency>10 AND latency<=30,"gt 10 and lt.eq 30",latency>30 AND latency<=45,"gt 30 and lt.eq 45",latency>45 AND latency<=60,"gt 45 and lt.eq 60",true(),"None")
| eval rangeWithCaseAndSpecialCharacters=case(latency<=10,"<10",latency>10 AND latency<=30,">10 & <=30",latency>30 AND latency<=45,">30 & <=45",latency>45 AND latency<=60,">45 & <=60",true(),"None")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

srichansen · ‎05-16-2018

Hi all,

Thanks for the reactions.
The error is showing when you change the label in the rangemap and not the ranges in the mapping.
They both have the same range mapped (0-30) but with different labels.

From the eval example above it would be like:
|eval rank=case((latency>160),">160",(latency>120),">120",(latency>80),">80",(latency<=80),"<=80")
gives different results to this:
|eval rank=case((latency>160),"99999 - 160",(latency>120),"180 - 120",(latency>80),"120 - 80",(latency<=80),"0 - 80")

If this is some how linked then it would mean that a label has influence on the ranges that rangemap uses. Maybe it needs to be escaped or something, but never seen that in spl before only in xml or regex.

kind regards.

maujard · ‎05-15-2018

try somethink like that

|eval rank=case((latency>160),4,(latency>120),3,(latency>80),2,(latency<=80),1)
| stats count(rank) by rank

why is Rangemap giving different results based on the label containing ">" or "<"

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes