Dashboards & Visualizations

How to change the threshold of either the radial gauge or the rangemap command?

tmarlette
Motivator

I am using a rangemap function for iis data. I am counting the amount of succesful 'hits' in a log (status=2*) and I'm attempting to map the results to a radial gauge however splunk is truncating the results at 1000. I have 70000+ hits every 60 minutes, so i'm wondering how to change the threshold of either the radial gauge or the rangemap command:

This is my query:

index=my_index sourcetype="iis" sc_status=2* |lookup status_codes.csv status AS sc_status | rangemap field=count low=0-19999 guard=20000-39999 elevated=40000-69999 high=70000-99999 severe=100000-200000 default=severe

is there a way to adjust the rangemap to accept these thresholds?

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Regardless of using rangemap, you can use gauge pretty easily here:

... | gauge count 0 20000 40000 70000 100000 200000

The first value is the starting value, the last one is the ending value. The values in the middle will automatically become the splitting points. The default colors go from green -> green/yellow -> yellow -> orange -> red. count here would be whatever field you're displaying.

See the docs on the gauge command here.

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

Regardless of using rangemap, you can use gauge pretty easily here:

... | gauge count 0 20000 40000 70000 100000 200000

The first value is the starting value, the last one is the ending value. The values in the middle will automatically become the splitting points. The default colors go from green -> green/yellow -> yellow -> orange -> red. count here would be whatever field you're displaying.

See the docs on the gauge command here.

rajendra_b
New Member

This is good but how do it make the numbers to gauge command dynamic instead of actual numbers. Can I use eval to get the numbers in a variable like

 .... eval y1=(Total * 0.5) | eval y2=(Total * 0.8) |eval y3=Total | gauge count 0 y1 y2 y3 
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't see any aggregation command in your query, it means for your chart, no of records are more than 1000 causing the truncation. Try something like this

index=my_index sourcetype="iis" sc_status=2* | stats coun tby sc_status|lookup status_codes.csv status AS sc_status | rangemap field=count low=0-19999 guard=20000-39999 elevated=40000-69999 high=70000-99999 severe=100000-200000 default=severe
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...