Splunk Dev

How to search for an item (failure code) and combine it with rangemap command?

krown
Explorer

Hello everybody,

I'm trying to set up a traffic light circuit. I'm searching for two failures. "12345" & "54321".

Immediately if failure "12345" occurs -> range should be "elevated" and then the traffic light should change to orange and if failure "54321" occurs -> range should change to "severe" and traffic light is changing to red. The traffic light circuit is working with some java scripts and a SingleValue visualization. The only problem is, that my xml script is not working.

By now my rangemap-line: ... | rangemap field=failure default=low elevated=12345-12345 severe=54321-54321

The command could also be like: ** "If count of failure appearance > 1, then change range to..."** and the traffic light changes in real-time.

I hope that I described it clear to you! Thank you very much for your help!

Best Regards!

0 Karma
1 Solution

lguinn2
Legend

Here is the deal - a lot of visualizations are based on the "range" field - which is simply the default output of the rangemap command. But you don't have to use the rangemap command - you can calculate the value of the range field however you want. Also, to drive a single value panel, it is best to have a search that yields only a single result (line) with 2 fields - the range and the value that you want to display.

So you could do this:

yoursearchhere
| stats values(failure) as failure_group
| eval range = case(failure_group==54321,"severe",
                    failure_group==12345,"elevated",
                    1==1,"low")

How this search works: since you don't care how many times the failure has happened, there is no need to count them. Using the values function of stats returns just a single result - a sorted list of the failures that appeared in the search. The case function tests to see if each failure appears - if it appears, then the range value is set. Only the first true comparison applies, so if 54321 appears, the value will be set to "severe" and we will not check (or care) to see if a 12345 also appeared. The 1==1 is used for the default condition, since it is always true.

Now, the above search should work great for a scheduled alert - each time the search runs, it produces a single result that is the "worst thing that happened" during the time interval of the search. But if you are running a true realtime alert, you could simply do this

 yoursearchhere
| eval range = case(failure==54321,"severe",
                    failure==12345,"elevated",
                    1==1,"low")
| fields failure range

Now the value of the range field will fluctuate as each event (that matches the search) is received.

View solution in original post

lguinn2
Legend

Here is the deal - a lot of visualizations are based on the "range" field - which is simply the default output of the rangemap command. But you don't have to use the rangemap command - you can calculate the value of the range field however you want. Also, to drive a single value panel, it is best to have a search that yields only a single result (line) with 2 fields - the range and the value that you want to display.

So you could do this:

yoursearchhere
| stats values(failure) as failure_group
| eval range = case(failure_group==54321,"severe",
                    failure_group==12345,"elevated",
                    1==1,"low")

How this search works: since you don't care how many times the failure has happened, there is no need to count them. Using the values function of stats returns just a single result - a sorted list of the failures that appeared in the search. The case function tests to see if each failure appears - if it appears, then the range value is set. Only the first true comparison applies, so if 54321 appears, the value will be set to "severe" and we will not check (or care) to see if a 12345 also appeared. The 1==1 is used for the default condition, since it is always true.

Now, the above search should work great for a scheduled alert - each time the search runs, it produces a single result that is the "worst thing that happened" during the time interval of the search. But if you are running a true realtime alert, you could simply do this

 yoursearchhere
| eval range = case(failure==54321,"severe",
                    failure==12345,"elevated",
                    1==1,"low")
| fields failure range

Now the value of the range field will fluctuate as each event (that matches the search) is received.

krown
Explorer

Dear Iguinn, thank you very much for your response!

Sorry, I forgot to mention, that there are many different failures, circa 30 units.

For example, I have the failures 1, 2, 3, 4, 5 and 6. Now, if the search finds failure "1", then the range should change to "severe", if it finds failure "2", then the range should change to "elevated" and if it finds 3 or 4 or 5 or 6, then the range should change to "low".

In addition to that, if failure "1" appears, the range should change to "severe", no matter if failure "2" or the other failures appear.
And if failure "2" appeared first, and failure "1" appears afterwards, then it should change from "elevated" to "severe".
The same applies if there were only the failures 3 or 4 or 5 or 6 (="low") and then failure "1" (="severe") or "2" (="elevated") appears.

Is it possible to do that?

Thanks in advance!

Best regards!

0 Karma

krown
Explorer

Ok, I found the solution: Don't forget to add "" to your failure codes!

index="..." 
| stats values(failure) as failure_group 
| eval range = case(failure_group=="1","severe",failure_group=="2","elevated",1==1,"low") 
| table range

Now it's working fine for me!

Thank you again and best regards!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...