Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk search - chart the number of hits from each IP over a fixed range

asdfxqwert
Explorer
‎08-16-2017 04:54 PM

We have the below data:

IP           Count
A            50
B            100
C            20
D            60
E            10
F            90

We have to chart it as below. Any pointers would be helpful

1-20    2
20-50   2
50-100  3
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-16-2017 05:35 PM

You could use the rangemap command:

YOUR BASE SEARCH 
| rangemap field=Count "1-20"=1-20 "21-50"=21-50 "51-100"=51-100 default=">100" 
| stats count by range

This assumes the fieldname that holds the value is called Count like it shows in your data sample.

View solution in original post

Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-16-2017 05:35 PM

You could use the rangemap command:

YOUR BASE SEARCH 
| rangemap field=Count "1-20"=1-20 "21-50"=21-50 "51-100"=51-100 default=">100" 
| stats count by range

This assumes the fieldname that holds the value is called Count like it shows in your data sample.

Reply
Solved! Jump to solution

asdfxqwert
Explorer
‎08-17-2017 10:01 AM

@kmorris_splunk

The count is actually not a fieldname. It is derived from the number of occurrences of the IP

Thank you

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-17-2017 11:54 AM

Try something like this. It is different than your search, but you will get the idea:

sourcetype=access_combined 
| stats count as Count by action 
| rangemap field=Count "900-950"=900-950 "951-1000"=951-1000 default=">1000" 
| table action range
Reply
Solved! Jump to solution

asdfxqwert
Explorer
‎08-17-2017 04:32 PM

@kmorris_splunk

Thank you, it worked !

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-16-2017 05:08 PM

Hey @asdfxqwert, Do you want 20 and 50 to be inclusive in both ranges? Asking because your range on line 3 doesn't match your range on line 2 in that sense. (There are 2 values in the 20-50 range inclusive of 20 and there are 4 values in the 50-100 range inclusive of 50). Either way, publishing so the experts can help you chart this. 🙂

Reply
Solved! Jump to solution

asdfxqwert
Explorer
‎08-16-2017 05:12 PM

Hi @lfedak-splunk

Thanks for spotting the issue. The range should be exclusive.

1-20
21-50
51-100 etc

Also, the range can be dynamic. So, it would be great to have a function(user defined or existing) to define the range as per the requirement.

Thanks for publishing !

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-17-2017 11:12 AM

Sure thing!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...