Splunk Search

why is Rangemap giving different results based on the label containing ">" or "<"

srichansen
Path Finder

Hi all,

I have a search with a rangemap that groups based on seconds.
The smallest and first grouping is for a range of less then 30 sec. The label is "<30" with the values being from 0 - 30.
This "label" gives a different result than the label "0-30".

Here are the two examples with results:

*| rangemap field=middle
"<30m"=0-30
"30-60m"=30-60
"1-2u"=60-120
"2-4u"=120-240

"range": "<30m",
"totalTransactions": "12568"*

*| rangemap field=middle
"0-30m"=0-30
"30-60m"=30-60
"1-2u"=60-120
"2-4u"=120-240

"range": "0-30m",
"totalTransactions": "12913"*

Has anyone experienced this before or know a solution?

thanks in advanced,
Simon

0 Karma

niketn
Legend

@srichansen I have tested with case() evaluation function and rangemap command that whether there are special characters in range label or not, the range value remains the same. PS: rangemap did not accept equal to character =.

So makes me think, is it possible that the latency values were actually changing when you were trying to re-run the search with special characters in the range label?

Please find a run any where example based on Splunk's _internal index for previous day data so that values do not change (I am using date_second as latency to get dummy data between 1-60)

alt text

index=_internal sourcetype=splunkd log_level!="INFO" earliest=-1d@d latest=-0d@d-1s 
| stats min(date_second) as latency by component
| rangemap field=latency "lt 10"=0-10 "gt 10 and lt.eq 30"=10-30 "gt 30 and lt.eq 45"=30-45 "gt 45 and lt.eq 60"=45-60 
| rename range as rangeWithRangeMapAndAlphaCharacters
| rangemap field=latency "<10"=0-10 ">10 & <30"=10-30 ">30 & <45"=30-45 ">45 & <60"=45-60
| rename range as rangeWithRangeMapAndSpecialCharacters
| eval rangeWithCaseAndAlphaCharacters=case(latency<=10,"lt 10",latency>10 AND latency<=30,"gt 10 and lt.eq 30",latency>30 AND latency<=45,"gt 30 and lt.eq 45",latency>45 AND latency<=60,"gt 45 and lt.eq 60",true(),"None")
| eval rangeWithCaseAndSpecialCharacters=case(latency<=10,"<10",latency>10 AND latency<=30,">10 & <=30",latency>30 AND latency<=45,">30 & <=45",latency>45 AND latency<=60,">45 & <=60",true(),"None")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

srichansen
Path Finder

Hi all,

Thanks for the reactions.
The error is showing when you change the label in the rangemap and not the ranges in the mapping.
They both have the same range mapped (0-30) but with different labels.

From the eval example above it would be like:
|eval rank=case((latency>160),">160",(latency>120),">120",(latency>80),">80",(latency<=80),"<=80")
gives different results to this:
|eval rank=case((latency>160),"99999 - 160",(latency>120),"180 - 120",(latency>80),"120 - 80",(latency<=80),"0 - 80")

If this is some how linked then it would mean that a label has influence on the ranges that rangemap uses. Maybe it needs to be escaped or something, but never seen that in spl before only in xml or regex.

kind regards.

0 Karma

maujard
Loves-to-Learn

try somethink like that

|eval rank=case((latency>160),4,(latency>120),3,(latency>80),2,(latency<=80),1)
| stats count(rank) by rank

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...