Related Answers
Download topic as PDF
rangemap
Description
Use the rangemap command to categorize the values in a numeric field. The command adds in a new field called range to each event and displays the category in the range field. The values in the range field are based on the numeric ranges that you specify.
Set the range field to the names of any attribute_name that the value of the input field is within. If no range is matched, the range value is set to the default value.
The ranges that you set can overlap. If you have overlapping values, the range field is created as a multivalue field containing all the values that apply. For example, if low=1-10, elevated=5-15, and the input field value is 10, range=low and code=elevated.
Syntax
rangemap field=<string> (<attribute_name>=<numeric_range>)... [default=<string>]
Required arguments
- field
- Syntax: field=<string>
- Description: The name of the input field. This field should contain numeric values
Optional arguments
- attribute_name=numeric_range
- Syntax: <string>=<num>-<num>
- Description: The <attribute_name> is a string value that is output when the <numeric_range> matches the value in the <field>. The <attribute_name> is a output to the
rangefield. The <numeric_range> is the starting and ending values for the range. The values can be integers or floating point numbers. The first value must be lower than the second. The <numeric_range> can include negative values. - Example: Dislike=-5--1 DontCare=0-0 Like=1-5
- default
- Syntax: default=<string>
- Description: If the input field does not match a range, use this to define a default value.
- Default: "None"
Examples
Example 1:
Set range to "green" if the date_second is between 1-30; "yellow", if between 31-39; "red", if between 40-59; and "gray", if no range matches (for example, if date_second=0).
... | rangemap field=date_second green=1-30 yellow=31-39 red=40-59 default=gray
Example 2:
Sets the value of each event's range field to "low" if its count field is 0 (zero); "elevated", if between 1-100; "severe", otherwise.
... | rangemap field=count low=0-0 elevated=1-100 default=severe
Using rangemap with single value panels
The Single Value dashboard panel type can be configured to use rangemap values. For example, Splunk ships with CSS that defines colors for low, elevated, and severe. You can customize the CSS for these values to apply different colors. Also, you have to edit the XML for the view to associate the colors with the range value; to do this:
1. Go to Manager >> User interface >> Views and select the view you want to edit.
2. For the single value panel that uses the rangemap search, include the following line underneath the <title /> tags:
<option name="classField">range</option>
So, if you had a view called "Example" and your search was named, "Count of events", your XML might look something like this:
<dashboard>
<label>Example</label>
<row>
<single>
<searchName>Count of events</searchName>
<title>Count of events</title>
<option name="classField">range</option>
</single>
</row>
</dashboard>
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rangemap command.
|
PREVIOUS predict |
NEXT rare |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15
Is it possible to have the range map change the color of the entire element panel, and not just the color of the text?