Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

rangemap

The rangemap command lets you classify ranges of values for numerical fields with more descriptive names.

Synopsis

Sets range field to the name of the ranges that match.

Syntax

rangemap field=<string> (<attribute_name>=<integer_range>)+ [default=<string>]

Required arguments

attribute_name
Syntax: <string>
Description: The name or attribute for the specified numerical range.
field
Syntax: field=<string>
Description: The name of the input field. This field should be numeric.
<integer_range>
Syntax: <start>-<end>
Description: Define the starting integer and ending integer values for the range attributed to the "attribute_name" parameter. This can include negative values. For example: Dislike=-5--1, DontCare=0-0, Like=1-5.

Optional arguments

default
Syntax: default=<string>
Description: If the input field doesn't match a range, use this to define a default value. If you don't define a value, defaults to "None".

Description

Sets the range field to the names of any attribute_name that the value of the input field is within. If no range is matched the range value is set to the default value.

The ranges that you set can overlap. If you have overlapping values, all the values that apply are shown in the events. For example, if low=1-10, elevated=5-15, and the input field value is 10, then range=low elevated.

Note: For Splunk versions before 4.2.x, search performance with the rangemap command is expected to be slow if you are reporting on large numbers of events. For this case, use the eval command's case() function to define the different ranges. For more information about the eval command and its functions, read:

Examples

Example 1: Set range to "green" if the date_second is between 1-30; "blue", if between 31-39; "red", if between 40-59; and "gray", if no range matches (for example, if date_second=0).

... | rangemap field=date_second green=1-30 blue=31-39 red=40-59 default=gray

Example 2: Sets the value of each event's range field to "low" if its count field is 0 (zero); "elevated", if between 1-100; "severe", otherwise.

... | rangemap field=count low=0-0 elevated=1-100 default=severe

Using rangemap with single value panels

The Single Value dashboard panel type can be configured to use rangemap values; for example, Splunk ships with CSS that defines colors for low, elevated, and severe. You can customize the CSS for these values to apply different colors. Also, you have to edit the XML for the view to associate the colors with the range value; to do this:

1. Go to Manager >> User interface >> Views and select the view you want to edit.

2. For the single value panel that uses the rangemap search, include the following line underneath the <title /> tags:

<option name="classField">range</option>

So, if you had a view called "Example" and your search was named, "Count of events", your XML might look something like this:

<?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Example</label>
  <row>
    <single>
      <searchName>Count of events</searchName>
      <title>Count of events</title>
      <option name="classField">range</option>
    </single>
  </row>
</dashboard>

See also

eval

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rangemap command.

PREVIOUS
overlap
  NEXT
rare

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters