Splunk Search
Highlighted

why is Rangemap giving different results based on the label containing ">" or "<"

Path Finder

Hi all,

I have a search with a rangemap that groups based on seconds.
The smallest and first grouping is for a range of less then 30 sec. The label is "<30" with the values being from 0 - 30.
This "label" gives a different result than the label "0-30".

Here are the two examples with results:

*| rangemap field=middle
"<30m"=0-30
"30-60m"=30-60
"1-2u"=60-120
"2-4u"=120-240

"range": "<30m",
"totalTransactions": "12568"*

*| rangemap field=middle
"0-30m"=0-30
"30-60m"=30-60
"1-2u"=60-120
"2-4u"=120-240

"range": "0-30m",
"totalTransactions": "12913"*

Has anyone experienced this before or know a solution?

thanks in advanced,
Simon

0 Karma
Highlighted

Re: why is Rangemap giving different results based on the label containing ">" or "<"

New Member

try somethink like that

|eval rank=case((latency>160),4,(latency>120),3,(latency>80),2,(latency<=80),1)
| stats count(rank) by rank

0 Karma
Highlighted

Re: why is Rangemap giving different results based on the label containing ">" or "<"

Path Finder

Hi all,

Thanks for the reactions.
The error is showing when you change the label in the rangemap and not the ranges in the mapping.
They both have the same range mapped (0-30) but with different labels.

From the eval example above it would be like:
|eval rank=case((latency>160),">160",(latency>120),">120",(latency>80),">80",(latency<=80),"<=80")
gives different results to this:
|eval rank=case((latency>160),"99999 - 160",(latency>120),"180 - 120",(latency>80),"120 - 80",(latency<=80),"0 - 80")

If this is some how linked then it would mean that a label has influence on the ranges that rangemap uses. Maybe it needs to be escaped or something, but never seen that in spl before only in xml or regex.

kind regards.

0 Karma
Highlighted

Re: why is Rangemap giving different results based on the label containing ">" or "<"

Legend

@srichansen I have tested with case() evaluation function and rangemap command that whether there are special characters in range label or not, the range value remains the same. PS: rangemap did not accept equal to character =.

So makes me think, is it possible that the latency values were actually changing when you were trying to re-run the search with special characters in the range label?

Please find a run any where example based on Splunk's internal index for previous day data so that values do not change (I am using `datesecondas latency to get dummy data between1-60`)

alt text

index=_internal sourcetype=splunkd log_level!="INFO" earliest=-1d@d latest=-0d@d-1s 
| stats min(date_second) as latency by component
| rangemap field=latency "lt 10"=0-10 "gt 10 and lt.eq 30"=10-30 "gt 30 and lt.eq 45"=30-45 "gt 45 and lt.eq 60"=45-60 
| rename range as rangeWithRangeMapAndAlphaCharacters
| rangemap field=latency "<10"=0-10 ">10 & <30"=10-30 ">30 & <45"=30-45 ">45 & <60"=45-60
| rename range as rangeWithRangeMapAndSpecialCharacters
| eval rangeWithCaseAndAlphaCharacters=case(latency<=10,"lt 10",latency>10 AND latency<=30,"gt 10 and lt.eq 30",latency>30 AND latency<=45,"gt 30 and lt.eq 45",latency>45 AND latency<=60,"gt 45 and lt.eq 60",true(),"None")
| eval rangeWithCaseAndSpecialCharacters=case(latency<=10,"<10",latency>10 AND latency<=30,">10 & <=30",latency>30 AND latency<=45,">30 & <=45",latency>45 AND latency<=60,">45 & <=60",true(),"None")



| eval message="Happy Splunking!!!"


0 Karma