Dashboards & Visualizations

Is it possible to have rangemap's range change dynamically according to the time range selected by users?

intern_jos
Engager

I would want the range map's range to change according to the time range selected by users.

For example last 24hrs
low=1-10 elevated=11-20 default=severe
Then for last 7days
low=1-70 elevated=71-140 default=severe

Is it possible to put all this in one search?

Thanks in advance.

0 Karma

lguinn2
Legend

First, realize that rangemap is just a simple variant of the case function of eval

| rangemap field=X low=1-10 elevated=11-20 default=severe

is the equivalent of

| eval range=case(X>=1 and X<=10,"low",
                 X>10 and X<=20,"elevated",
                 1==1,"severe")

But the case function allows a lot more flexibility. rangemap only works with integers; case works with numbers and strings. case can also support complex conditionals. So, you could do this:

| addinfo
| eval multiplier= (info_max_time - info_min_time) / 86400
| eval range=case(X>=1*multiplier and X<=10*multiplier,"low",
                     X>10*multiplier and X<=20*multiplier,"elevated",
                     1==1,"severe")

This gets the earliest and latest times for the search (from addinfo) and then calculates a multiplier based on the number of days. So if the user searched over the last 7 days, the multiplier would be approximately 7.
But you could calculate the conditions used by the case function any way that you want.

Note that you will not need to change any CSS or single-value visualizations - they will work exactly as they did before. Why? Because the field calculated by the eval command is "range" - the same field that is the result of the rangemap command, and the values for range are set to "low","elevated" or "severe", just as they are for the rangemap command.

intern_jos
Engager

I always get "severe" no matter how I change the range. Is there any reason why?
I tried changing the range to ensure that my total events would fall into the elevated range but the result is still severe

0 Karma

lguinn2
Legend

I didn't have a problem with the logic. I suggest that you do this to debug your problem:

| addinfo
| eval multiplier= (info_max_time - info_min_time) / 86400
| eval low_start = 1*multiplier
| eval low_end = 10*multiplier
| eval elevated_start = low_end
| eval elevated_end = 20*multiplier
 | eval range=case(X>=low_start and X<=low_end,"low",
                      X>elevated_start and X<=elevated_end,"elevated",
                      1==1,"severe")
| table range X low_start low_end elevated_start elevated_end multiplier

This will probably show you what is happening. In my own test case, the X that I was generating was much larger than I thought it was...
You may need to adjust the multiplier or how you define your ranges.

Again, I couldn't find anything wrong with the original solution; this is just to give you more information about what it is doing...

0 Karma

MuS
SplunkTrust
SplunkTrust

I like this approach!
This could also be done with a lookup; take a look here https://answers.splunk.com/answers/341505/splunk-dynamic-count-of-lookups-in-csv.html#answer-341515 where a lookup is user to set semi dynamic thresholds. Add a time range to the entries and you can do it based on time ranges 😉

cheers, MuS

lguinn2
Legend

Yes @MuS, I thought about a lookup as well. I think that a lookup would be a great approach for a lot of things, not just this example.

I didn't add it here, because I wanted to stay close to "how rangemap works" for this particular example.

MuS
SplunkTrust
SplunkTrust

understood and agreed 😉

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the time range selected done by time range picker (virtually unlimited possible values) OR you created a dropdown with only selected time ranges. In case of later, there might be a way by using the tokens.

0 Karma

alemarzu
Motivator

I doubt it mate.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...