Splunk Search

How to use span in a non fixed/non logarithmic manner

asherman
Path Finder

Hi,

I am trying to represent the distribution of the error of my data in 5/10% increments. Since the error ranges as much as 1000%, this makes the labels unreadable and the graph too contracted around the region of interest (near 0%). I have tried using the "span=" syntax, but can't seem to figure out how to have span=0.05 with a barrier such that everything >1 or <-1 is placed in the same group.

My brute force attempt works, but it is quite tedious to modify, and I think there must be a better way:

index=test_index3 max_err=* AND
NOT(max_err=nan)
| rangemap field=max_err "<1.0"=-100000--1
"-1.0<-0.9"=-1--0.9
"-0.9<-0.8"=-0.9--0.8
"-0.8<-0.7"=-0.8--0.7
"-0.7<-0.6"=-0.7--0.6
"-0.6<-0.5"=-0.6--0.5
"-0.5<-0.4"=-0.5--0.4
"-0.4<-0.3"=-0.4--0.3
"-0.3<-0.2"=-0.3--0.2
"-0.2<-0.1"=-0.2--0.1 "-0.1<0"=-0.1-0
"0<0.1"=0-0.1 "0.1<0.2"=0.1-0.2
"0.2<0.3"=0.2-0.3 "0.3<0.4"=0.3-0.4
"0.4<0.5"=0.4-0.5 "0.5<0.6"=0.5-0.6
"0.6<0.7"=0.6-0.7 "0.7<0.8"=0.7-0.8
"0.8<0.9"=0.8-0.9 "0.9<1.0"=0.9-1.0
">1.0"=1-100000 default="nan" | stats count by range
| eval order = if(range="0<0.1",0,
if(range="0.1<0.2",1,
if(range="0.2<0.3",2,
if(range="0.3<0.4",3,
if(range="0.4<0.5",4,
if(range="0.5<0.6",5,
if(range="0.6<0.7",6,
if(range="0.7<0.8",7,
if(range="0.8<0.9",8,
if(range="0.9<1.0",9,
if(range=">1.0",10,
if(range="-1.0<-0.9",-10,
if(range="-0.9<-0.8",-9,
if(range="-0.8<-0.7",-8,
if(range="-0.7<-0.6",-7,
if(range="-0.6<-0.5",-6,
if(range="-0.5<-0.4",-5,
if(range="-0.4<-0.3",-4,
if(range="-0.3<-0.2",-3,
if(range="-0.2<-0.1",-2,
if(range="-0.1<0",-1,
if(range="<1.0",-11,
-12)))))))))))))))))))))) | sort + order | fields - order

Data is all of the form "...max_err={float}...", e.g., max_err=-0.503.

Thanks.

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this.

index=test_index3 max_err=* AND NOT(max_err=nan) 
| eval sno=mvrange(-1,1,0.1) | mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno)
| eval include=if(max_err<0,if(max_err<=sno,"Y","N"),if(max_err>=sno,"Y","N")) 
| where include="Y" | streamstats count as counter by max_err | eventstats max(counter) as maxCount by max_err | where (max_err<0 AND counter=1) OR (max_err>0 AND counter=maxCount) OR (max_err=0 AND abs(sno)=0.0) | table max_err sno | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1) | eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno)  | stats count by range | append [|gentimes start=-1 | eval sno=mvrange(-1,1,0.1)| table sno| mvexpand sno | eval sno=if(abs(sno)=0.0,0,sno) | eval sno1=sno-0.1| eval sno1=if(abs(sno1)=0.0,0,sno1)| eval range=case(sno=-1.0,"<1.0#-100000",sno=1.0,">1.0#100000",1=1,sno1."<".sno."#".sno) | table range | eval count=0]
| stats sum(count) as count by range
| rex field=range "(?<range>.*)#(?<order>.*)" | sort order | fields - order

asherman
Path Finder

Thanks! This works, but it's also a lot more CPU/time costly than the approach I had above. It's also not much shortened as I had hoped.

Could you clarify for me the purpose of the append? It makes me think of another approach where I use span for the -1-1 range, and append the extremes, something like:
| where max_err>-1
| where max_err<1
| chart count by max_err span=0.1
| append [ ... | where max_err>1 | chart count max_err as ">1"]
| append [ ... | where max_err<-1 | chart count max_err as "<-1"]

This requires extra searches though, which I prefer to avoid.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...