My question is a follow up question to my question earlier today.
The rangemap command is displaying high and medium single values correctly, however for my low single values it displays N/A instead of say "3".
My query is:
* NOT INC_CAL* Priority=2| convert timeformat="%F %T" ctime(Last_Modified_Date) AS "LastModified" ctime(Approval_Date) AS "ApprovalDate" ctime(Completion_Date) AS "CompletionDate" ctime(Submit_Date) AS "SubmitDate" ctime(Expected_Date) AS "ExpectedDate" ctime(Closed_Date) AS "ClosedDate" ctime(Resolved_Date) AS "ResolvedDate" ctime(Reported_Date) AS "ReportedDate" ctime(Responded_Date) AS "RespondedDate"| stats distinct_count(Incident_Number) as test| rangemap field=test low=0-9 elevated=10-50
I've read the following questions and answers on splunk>answers:
http://answers.splunk.com/answers/46854/using-rangemap-in-dashboard and
http://answers.splunk.com/answers/34148/single-rangemap-displaying-low-instead-of-number
Then I thought I had hit the jackpot with the following questions but it relates to 0 answers where I have a low answer of 3 and I am still getting N/A:
http://answers.splunk.com/answers/49559/single-value-return-na-instead-of-0
So, neither of the above helped me.
The initial query was not specific enough.
As soon as I added a sourcetype at the front of this query it was fixed, any value below 9 actually shows up as the value and is coloured green:
sourcetype="remedy_incidents" * NOT INC_CAL* Priority=2| convert timeformat="%F %T" ctime(Last_Modified_Date) AS "LastModified" ctime(Approval_Date) AS "ApprovalDate" ctime(Completion_Date) AS "CompletionDate" ctime(Submit_Date) AS "SubmitDate" ctime(Expected_Date) AS "ExpectedDate" ctime(Closed_Date) AS "ClosedDate" ctime(Resolved_Date) AS "ResolvedDate" ctime(Reported_Date) AS "ReportedDate" ctime(Responded_Date) AS "RespondedDate"| stats distinct_count(Incident_Number) as test| rangemap field=test low=0-9 elevated=10-50
Also most of the query can be removed and simplified to:
sourcetype="remedy_incidents" * NOT INC_CAL* Priority=2| stats distinct_count(Incident_Number) as test| rangemap field=test low=0-9 elevated=10-50
The initial query was not specific enough.
As soon as I added a sourcetype at the front of this query it was fixed, any value below 9 actually shows up as the value and is coloured green:
sourcetype="remedy_incidents" * NOT INC_CAL* Priority=2| convert timeformat="%F %T" ctime(Last_Modified_Date) AS "LastModified" ctime(Approval_Date) AS "ApprovalDate" ctime(Completion_Date) AS "CompletionDate" ctime(Submit_Date) AS "SubmitDate" ctime(Expected_Date) AS "ExpectedDate" ctime(Closed_Date) AS "ClosedDate" ctime(Resolved_Date) AS "ResolvedDate" ctime(Reported_Date) AS "ReportedDate" ctime(Responded_Date) AS "RespondedDate"| stats distinct_count(Incident_Number) as test| rangemap field=test low=0-9 elevated=10-50
Also most of the query can be removed and simplified to:
sourcetype="remedy_incidents" * NOT INC_CAL* Priority=2| stats distinct_count(Incident_Number) as test| rangemap field=test low=0-9 elevated=10-50