Splunk Search

How to edit my rangemap search so that ranges will display as table columns?

cstarling
Explorer

Hello! I am using Splunk to correlate packet statistics. In a log we have the following fields: sencore_iat and sencore_uncorrected_packets. Our goal is to map a sencore_iat range to the total amount of uncorrected packets per host. We are looking to make a table like below. Lets say iat_range1 is IAT zero to 1 and iat_range2 is IAT from 1 to 5

host | count(iat_in_range1) | total_uncorrected_packets_for_this_host_with_iat_range1 | count(iat_in_range2) | total_uncorrected_packets_for_this_host_with_iat_range2 .

Here is what I have so far:

myBaseSeach| 
rangemap field=sencore_iat "0 to 1"=0-1 "1 to 5"=1-5 default="other" | 
stats 
count(sencore_iat) as total_occurances_of_iat
sum(sencore_uncorrected_packets) as sum_of_all_uncorreted_packets
by range,  host

This search gives the correct data, however it is not how we want it displayed. This search gives us the iat ranges from the rangemap command in a row, and we are looking to have each iat range from the rangemap command as a column. I am wondering is this possible using the rangemap command?

Please let me know if the question is unclear, or if I should not even be using the rangemap command. Any help would be greatly appreciated!

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Simply change stats to chart and make it BY host range instead of BY range host.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This makes random test data ...

| makeresults | eval host="a a a a a a a a b b b b b b b b c c c c c c c c c d d d d d" 
| makemv host 
| mvexpand host
| eval rand=random()%100 

This maps the data , sorts the ranges to the desired order, produces the chart with columns as requested, then renames the columns to the desired names.

| rangemap field=rand rangeA=0-40 rangeB=41-80 default=rangeC 
| rename range as myrange 
| stats count as mycount sum(rand) as mysum by myrange host 
| chart sum(mysum) over host by myrange
| rename rangeA as "0 to 1", rangeB as "1 to 5", rangeC as "other"

cstarling
Explorer

This also works nicely. I accepted the other answer simply because it was 3 mins quicker 🙂

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Heh. Serves me right for testing my code. 😉

It's no big deal which one gets accepted or upvoted, just so you got what you needed.

0 Karma

woodcock
Esteemed Legend

Simply change stats to chart and make it BY host range instead of BY range host.

0 Karma

cstarling
Explorer

this works nicely. Is there a way to change the order of the columns that are spit out by the chart command?

0 Karma

cstarling
Explorer

I got it with a simple table command. Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...