Splunk Search

How to use span in a non fixed/non logarithmic manner

asherman
Path Finder

Hi,

I am trying to represent the distribution of the error of my data in 5/10% increments. Since the error ranges as much as 1000%, this makes the labels unreadable and the graph too contracted around the region of interest (near 0%). I have tried using the "span=" syntax, but can't seem to figure out how to have span=0.05 with a barrier such that everything >1 or <-1 is placed in the same group.

My brute force attempt works, but it is quite tedious to modify, and I think there must be a better way:

index=test_index3 max_err=* AND
NOT(max_err=nan)
| rangemap field=max_err "<1.0"=-100000--1
"-1.0<-0.9"=-1--0.9
"-0.9<-0.8"=-0.9--0.8
"-0.8<-0.7"=-0.8--0.7
"-0.7<-0.6"=-0.7--0.6
"-0.6<-0.5"=-0.6--0.5
"-0.5<-0.4"=-0.5--0.4
"-0.4<-0.3"=-0.4--0.3
"-0.3<-0.2"=-0.3--0.2
"-0.2<-0.1"=-0.2--0.1 "-0.1<0"=-0.1-0
"0<0.1"=0-0.1 "0.1<0.2"=0.1-0.2
"0.2<0.3"=0.2-0.3 "0.3<0.4"=0.3-0.4
"0.4<0.5"=0.4-0.5 "0.5<0.6"=0.5-0.6
"0.6<0.7"=0.6-0.7 "0.7<0.8"=0.7-0.8
"0.8<0.9"=0.8-0.9 "0.9<1.0"=0.9-1.0
">1.0"=1-100000 default="nan" | stats count by range
| eval order = if(range="0<0.1",0,
if(range="0.1<0.2",1,
if(range="0.2<0.3",2,
if(range="0.3<0.4",3,
if(range="0.4<0.5",4,
if(range="0.5<0.6",5,
if(range="0.6<0.7",6,
if(range="0.7<0.8",7,
if(range="0.8<0.9",8,
if(range="0.9<1.0",9,
if(range=">1.0",10,
if(range="-1.0<-0.9",-10,
if(range="-0.9<-0.8",-9,
if(range="-0.8<-0.7",-8,
if(range="-0.7<-0.6",-7,
if(range="-0.6<-0.5",-6,
if(range="-0.5<-0.4",-5,
if(range="-0.4<-0.3",-4,
if(range="-0.3<-0.2",-3,
if(range="-0.2<-0.1",-2,
if(range="-0.1<0",-1,
if(range="<1.0",-11,
-12)))))))))))))))))))))) | sort + order | fields - order

Data is all of the form "...max_err={float}...", e.g., max_err=-0.503.

Thanks.

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this.

index=test_index3 max_err=* AND NOT(max_err=nan) 
| eval sno=mvrange(-1,1,0.1) | mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno)
| eval include=if(max_err<0,if(max_err<=sno,"Y","N"),if(max_err>=sno,"Y","N")) 
| where include="Y" | streamstats count as counter by max_err | eventstats max(counter) as maxCount by max_err | where (max_err<0 AND counter=1) OR (max_err>0 AND counter=maxCount) OR (max_err=0 AND abs(sno)=0.0) | table max_err sno | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1) | eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno)  | stats count by range | append [|gentimes start=-1 | eval sno=mvrange(-1,1,0.1)| table sno| mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno) | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1)| eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno) | table range | eval count=0]
| stats sum(count) as count by range
| rex field=range "(?<range>.*)#(?<order>.*)" | sort order | fields - order

asherman
Path Finder

Thanks! This works, but it's also a lot more CPU/time costly than the approach I had above. It's also not much shortened as I had hoped.

Could you clarify for me the purpose of the append? It makes me think of another approach where I use span for the -1-1 range, and append the extremes, something like:
| where max_err>-1
| where max_err<1
| chart count by max_err span=0.1
| append [ ... | where max_err>1 | chart count max_err as ">1"]
| append [ ... | where max_err<-1 | chart count max_err as "<-1"]

This requires extra searches though, which I prefer to avoid.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...