I would want the range map's range to change according to the time range selected by users.
For example last 24hrs
low=1-10 elevated=11-20 default=severe
Then for last 7days
low=1-70 elevated=71-140 default=severe
Is it possible to put all this in one search?
Thanks in advance.
First, realize that rangemap
is just a simple variant of the case
function of eval
| rangemap field=X low=1-10 elevated=11-20 default=severe
is the equivalent of
| eval range=case(X>=1 and X<=10,"low",
X>10 and X<=20,"elevated",
1==1,"severe")
But the case
function allows a lot more flexibility. rangemap
only works with integers; case
works with numbers and strings. case
can also support complex conditionals. So, you could do this:
| addinfo
| eval multiplier= (info_max_time - info_min_time) / 86400
| eval range=case(X>=1*multiplier and X<=10*multiplier,"low",
X>10*multiplier and X<=20*multiplier,"elevated",
1==1,"severe")
This gets the earliest and latest times for the search (from addinfo
) and then calculates a multiplier based on the number of days. So if the user searched over the last 7 days, the multiplier would be approximately 7.
But you could calculate the conditions used by the case
function any way that you want.
Note that you will not need to change any CSS or single-value visualizations - they will work exactly as they did before. Why? Because the field calculated by the eval
command is "range" - the same field that is the result of the rangemap
command, and the values for range are set to "low","elevated" or "severe", just as they are for the rangemap
command.
I always get "severe" no matter how I change the range. Is there any reason why?
I tried changing the range to ensure that my total events would fall into the elevated range but the result is still severe
I didn't have a problem with the logic. I suggest that you do this to debug your problem:
| addinfo
| eval multiplier= (info_max_time - info_min_time) / 86400
| eval low_start = 1*multiplier
| eval low_end = 10*multiplier
| eval elevated_start = low_end
| eval elevated_end = 20*multiplier
| eval range=case(X>=low_start and X<=low_end,"low",
X>elevated_start and X<=elevated_end,"elevated",
1==1,"severe")
| table range X low_start low_end elevated_start elevated_end multiplier
This will probably show you what is happening. In my own test case, the X that I was generating was much larger than I thought it was...
You may need to adjust the multiplier or how you define your ranges.
Again, I couldn't find anything wrong with the original solution; this is just to give you more information about what it is doing...
I like this approach!
This could also be done with a lookup; take a look here https://answers.splunk.com/answers/341505/splunk-dynamic-count-of-lookups-in-csv.html#answer-341515 where a lookup is user to set semi dynamic
thresholds. Add a time range to the entries and you can do it based on time ranges 😉
cheers, MuS
Yes @MuS, I thought about a lookup as well. I think that a lookup would be a great approach for a lot of things, not just this example.
I didn't add it here, because I wanted to stay close to "how rangemap works" for this particular example.
understood and agreed 😉
Is the time range selected done by time range picker (virtually unlimited possible values) OR you created a dropdown with only selected time ranges. In case of later, there might be a way by using the tokens.
I doubt it mate.