I have 3 single rangemap fields configured in a dashboard. All 3 field values are actually 0. However, one of the values (for delete) is always shown as 'low' instead of '0'.

Here is the search to verify values:
sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.decode_errors: (?\d+)" | rex field=_raw "megastore.stats.delete_errors: (?\d+)" | stats avg(decode_errors) as avg_decode_errors avg(delete_errors) as avg_delete_errors | eval display_value_delete = tostring(round(avg_delete_errors,0), "commas") | eval display_value_decode = tostring(round(avg_decode_errors,0), "commas")

--> with results
avg_decode_errors avg_delete_errors display_value_decode display_value_delete
0.000000 0.000000 0 0

display_value_delete shows as 'low' in the UI

Here is the xml:

sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.encode_errors: (?<encode_errors>\d+)" | stats avg(encode_errors) as avg_encode_errors | eval display_value_encode = tostring(round(avg_encode_errors,0), "commas")| rangemap field=display_value_encode low=0-1 elevated=2-10 severe=11-1000 default=low

range


sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.decode_errors: (?<decode_errors>\d+)" | stats avg(decode_errors) as avg_decode_errors | eval display_value_decode = tostring(round(avg_decode_errors,0), "commas") | rangemap field=display_value_decode severe=11-1000 elevated=2-10 low=0-1 default=low

range


sourcetype=rfsctl-a* earliest=-24h | rex field=_raw "megastore.stats.delete_errors: (?<delete_errors>\d+)" | stats avg(delete_errors) as avg_delete_errors | eval display_value_delete = tostring(round(avg_delete_errors,0), "commas") | rangemap field=display_value_delete severe=11-1000 elevated=2-10 low=0-1 default=low

range