rangemap
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
rangemap
The rangemap command lets you classify ranges of values for numerical fields with more descriptive names.
Synopsis
Sets range field to the name of the ranges that match.
Syntax
rangemap field=<string> (<attribute_name>=<integer_range>)+ [default=<string>]
Required arguments
- attribute_name
- Syntax: <string>
- Description: The name or attribute for the specified numerical range.
- field
- Syntax: field=<string>
- Description: The name of the input field. This field should be numeric.
- <integer_range>
- Syntax: <start>-<end>
- Description: Define the starting integer and ending integer values for the range attributed to the "attribute_name" parameter. This can include negative values. For example: Dislike=-5--1, DontCare=0-0, Like=1-5.
Optional arguments
- default
- Syntax: default=<string>
- Description: If the input field doesn't match a range, use this to define a default value. If you don't define a value, defaults to "None".
Description
Sets the range field to the names of any attribute_name that the value of the input field is within. If no range is matched the range value is set to the default value.
The ranges that you set can overlap. If you have overlapping values, all the values that apply are shown in the events. For example, if low=1-10, elevated=5-15, and the input field value is 10, then range=low elevated.
Note: For Splunk versions before 4.2.x, search performance with the rangemap command is expected to be slow if you are reporting on large numbers of events. For this case, use the eval command's case() function to define the different ranges. For more information about the eval command and its functions, read:
Examples
Example 1: Set range to "green" if the date_second is between 1-30; "blue", if between 31-39; "red", if between 40-59; and "gray", if no range matches (for example, if date_second=0).
... | rangemap field=date_second green=1-30 blue=31-39 red=40-59 default=grayExample 2: Sets the value of each event's range field to "low" if its count field is 0 (zero); "elevated", if between 1-100; "severe", otherwise.
... | rangemap field=count low=0-0 elevated=1-100 default=severeUsing rangemap with single value panels
The Single Value dashboard panel type can be configured to use rangemap values; for example, Splunk ships with CSS that defines colors for low, elevated, and severe. You can customize the CSS for these values to apply different colors. Also, you have to edit the XML for the view to associate the colors with the range value; to do this:
1. Go to Manager >> User interface >> Views and select the view you want to edit.
2. For the single value panel that uses the rangemap search, include the following line underneath the <title /> tags:
<option name="classField">range</option>
So, if you had a view called "Example" and your search was named, "Count of events", your XML might look something like this:
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Example</label>
<row>
<single>
<searchName>Count of events</searchName>
<title>Count of events</title>
<option name="classField">range</option>
</single>
</row>
</dashboard>
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rangemap command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.