We have the below data:
IP Count
A 50
B 100
C 20
D 60
E 10
F 90
We have to chart it as below. Any pointers would be helpful
1-20 2
20-50 2
50-100 3
You could use the rangemap command:
YOUR BASE SEARCH
| rangemap field=Count "1-20"=1-20 "21-50"=21-50 "51-100"=51-100 default=">100"
| stats count by range
This assumes the fieldname that holds the value is called Count like it shows in your data sample.
You could use the rangemap command:
YOUR BASE SEARCH
| rangemap field=Count "1-20"=1-20 "21-50"=21-50 "51-100"=51-100 default=">100"
| stats count by range
This assumes the fieldname that holds the value is called Count like it shows in your data sample.
@kmorris_splunk
The count is actually not a fieldname. It is derived from the number of occurrences of the IP
Thank you
Try something like this. It is different than your search, but you will get the idea:
sourcetype=access_combined
| stats count as Count by action
| rangemap field=Count "900-950"=900-950 "951-1000"=951-1000 default=">1000"
| table action range
@kmorris_splunk
Thank you, it worked !
Hey @asdfxqwert, Do you want 20 and 50 to be inclusive in both ranges? Asking because your range on line 3 doesn't match your range on line 2 in that sense. (There are 2 values in the 20-50 range inclusive of 20 and there are 4 values in the 50-100 range inclusive of 50). Either way, publishing so the experts can help you chart this. 🙂
Hi @lfedak-splunk
Thanks for spotting the issue. The range should be exclusive.
1-20
21-50
51-100 etc
Also, the range can be dynamic. So, it would be great to have a function(user defined or existing) to define the range as per the requirement.
Thanks for publishing !
Sure thing!