- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Why is the rangemap command in my search not produ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search is easy:
index=_internal|fields|stats count|rangemap field=count low=0-50000 elevated=50001-100000 default=severe
visualization single value stops growing before the search finishes!
I uploaded the results:
http://ntu.so/di/SR69M/bug.gif
In a dashboard
rangemap field=count severe=0-50000 elevated=50001-100000 default=low works fine
rangemap field=count low=0-50000 elevated=50001-100000 default=severe stays green?
I am really confused by this command
splunk version 6.0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I attempted to reproduce your problem on v6.2 but could not; everything worked as expected. The only thing I see is an extra |fields which is useless overhead (you should remove it) but that should not cause any problems like you are seeing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your GIF, the search is
index=_internal|fields|stats count|rangemap field=count low=0-50000 elevated=500001-100000 default=severe
So you have a typo - the "elevated" range is invalid.
And as @woodcock pointed out, the "|fields" does nothing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every thing seems right on version 6.2.4, I have to upgread my plateform
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you
after correcting this mistake, the problem still remains. i will try this on a newer version.
by the way, i suppose "|fields" tell splunk not to extract any fields, even host\source\sourcetype, in order to accelerate the search, is that wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that's wrong.
See docs on fields http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Fields
Keeps (+) or removes (-) fields from search results based on the field list criteria. If + is specified, only the fields that match one of the fields in the list are kept. If - is specified, only the fields that match one of the fields in the list are removed. If neither is specified, defaults to +.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I attempted to reproduce your problem on v6.2 but could not; everything worked as expected. The only thing I see is an extra |fields which is useless overhead (you should remove it) but that should not cause any problems like you are seeing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for your validation, i will try this on a newer version
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
