Solved: Why is my search to create a range of values not r...

Rotema · ‎03-02-2016

Hello,

I'm trying to run this search in order to range the values:

index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10 | convert rmunit(AccountNumber)| eval type=case(AccountNumber >=10 AND AccountNumber < 30,"Between 10 and 30 ",AccountNumber >= 31 AND AccountNumber <=50,"Between 31 and 50",AccountNumber >= 51 AND AccountNumber <=70,"Between 51 and 70", AccountNumber >= 71 AND AccountNumber <=100,"Between 71 and 100") | chart count by type

But I'm getting no results 😞
Can you help me understand what's wrong here?

Thanks,
Rotem

somesoni2 · ‎03-02-2016

Since you wan to get range of count, not the account numbers, try like this

index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10 | eval type=case(count>=10 AND count< 30,"Between 10 and 30 ",count>= 31 AND count<=50,"Between 31 and 50",count>= 51 AND count<=70,"Between 51 and 70", count>= 71 AND count<=100,"Between 71 and 100") | chart count by type

View solution in original post

somesoni2 · ‎03-02-2016

Since you wan to get range of count, not the account numbers, try like this

index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10 | eval type=case(count>=10 AND count< 30,"Between 10 and 30 ",count>= 31 AND count<=50,"Between 31 and 50",count>= 51 AND count<=70,"Between 51 and 70", count>= 71 AND count<=100,"Between 71 and 100") | chart count by type

Rotema · ‎03-03-2016

Hi,
that worked!
I just had to play with the rex a bit but that did the trick
Thank u

Rotema · ‎03-02-2016

Hi,
Thanks for the replies.
here is an example of the data:
Query:
index=prod GetClientStateNotFound | rex "AccountNumber=(?P\d+)" | chart count by AccountNumber | where count>=10

Results:

AccountNumber count
1 2266456 52
2 5214944 44
3 2354071 35
4 6386060 35
5 6573558 35
6 6296155 34
7 6235968 33
8 6547036 30
9 1856928 29
10 2629859 26

What I'm trying to do is range the counts (1-30, 31-50, 51-70)

Thanks

lguinn2 · ‎03-02-2016

Your rex command is wrong: it doesn't specify a field name. So there is no "AccountNumber" field. Try this

index=prod GetClientStateNotFound 
| rex "AccountNumber=(?P<AccountNumber>\d+)" 
| chart count by AccountNumber
| where count>=10 
| convert rmunit(AccountNumber)
| eval type=case(AccountNumber >=10 AND AccountNumber < 30,"Between 10 and 30 ",
                              AccountNumber >= 31 AND AccountNumber <=50,"Between 31 and 50",
                              AccountNumber >= 51 AND AccountNumber <=70,"Between 51 and 70", 
                             AccountNumber >= 71 AND AccountNumber <=100,"Between 71 and 100") 
| stats sum(count) as ClientStateNotFound count as NumAccountNumbers by type

Note that I have also changed the final command; you probably should pick whether you want to count the number of times that "GetClientStateNotFound" occurred - or whether you want to count the number of AccountNumbers of each type.
Note that the rex may still be wrong. Show us a sample of the data if you still need help.

Rotema · ‎03-02-2016

Hi, no results.
I'm pretty sure the problem is that I'm getting the account values but what I want do is count the account numbers amount and then range them.

Tnx

somesoni2 · ‎03-02-2016

Can you provide some sample values for Account number that you have? Probably issue with converting the Account number to numeric value to range.

Rotema · ‎03-02-2016

Hi,
Just to clear, I'm trying to range the value of "AccountNumber"

Thanks,
Rotem

somesoni2 · ‎03-02-2016

Do you get results if you run your query without last chart command??

Why is my search to create a range of values not returning any results?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?