- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I display ranges as text min - max?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I have data such as this:
SensorNo A B C D....Z AA AB....
123 2.4 2.5 2.6 1.0 ....89.1
124 8.6 2.6 3.6 5.7 ....
125 5.6 2.55 4.6 12.1....
And I want a table that shows the ranges of each value, such as in:
| stats min(A) as minA max(A) as maxA|eval rangeA=min(A)+" to "+maxA
Would look like:
minA maxA rangeA
2.4 8.6 2.6 to 8.6
I do not know how many fields are going to be in this data set in advance but I want that range for all of them, A thru however many there are. Doing that stats naming and eval isn't going to work because I can't predefine how many fields there are. I found I can get the min, max, and max-min using:
|stats min() max() range()
However, this results in 3x the number of fields I want and a goofy sort of the columns.
The ultimate goal is to drop the fields min(A) max(A) and just display the range in the human readable form "2.6 to 8.6"
|stats.... |fields - min() max()
or something like that
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need foreach command here to dynamically process fields.
your current search giving fields: SensorNo A B C D....Z AA AB....
| stats min(*) as min* max(*) as max*
| foreach min* [| eval "range<<MATCHSTR>>"='max<<MATCHSTR>>'." to ".'min<<MATCHSTR>>' ]
| table range*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need foreach command here to dynamically process fields.
your current search giving fields: SensorNo A B C D....Z AA AB....
| stats min(*) as min* max(*) as max*
| foreach min* [| eval "range<<MATCHSTR>>"='max<<MATCHSTR>>'." to ".'min<<MATCHSTR>>' ]
| table range*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That works beautifully... thank you. I'm not sure why, but I will have to read about that part.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another query that describes what I want, but this one doesn't work:
|stats min() as min* max() as max* by Spread |eval range*=max*-min*
gives an error on the eval piece, stats part works well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you have your syntax incorrect. Try:
| stats min(*) as min* by Spread
I'm not sure about the eval portion, but start with this for now. I can test the other bit out later.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works with or without the * inside the min() parenthesis, splunk documentation for aggregate functions indicates to not use the star so I didn't. That part works fine, the range piece is what I haven't been able to figure out.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
