here is the situation:
I have two fields
1. Response time that needs grouping like this (Low=0-1.2, Medium=1.2-1.5, High=1.5-1.8 default=Critcal)
2. CodeName that corresponds to the response time
i want to see top 5 codenames trending graph with bucketing as mentioned above for a span of 15min.
I tried this
my search| rangemap field=ResponseTime Low=0-1.2, Meduim=1.2-1.5, High=1.5-1.8 default=Critcal | timechart count span=15 min by range
Yes you have to go with eval case in this scenario,
my search
| eval Range=case(
ResponseTime>0 AND ResponseTime<1.2, "Low",
ResponseTime>1.2 AND ResponseTime<1.5, "Medium",
ResponseTime>1.5 AND ResponseTime<1.8, "High",
1==1 "Critical")
| timechart span=15 range by CodeName
I don't think rangemap likes decimals. Maybe the answer posted here using |eval case
will be a suitable substitute.
https://answers.splunk.com/answers/5659/rangemap-does-not-work-with-decimals.html
What's the output of your current search and what's the output should be?