rangemap command to categorize the values in a numeric field. The command adds in a new field called
range to each event and displays the category in the
range field. The values in the
range field are based on the numeric ranges that you specify.
range field to the names of any
attribute_name that the value of the input
field is within. If no range is matched, the
range value is set to the
The ranges that you set can overlap. If you have overlapping values, the
range field is created as a multivalue field containing all the values that apply. For example, if low=1-10, elevated=5-15, and the input field value is 10,
rangemap field=<string> (<attribute_name>=<numeric_range>)... [default=<string>]
- Syntax: field=<string>
- Description: The name of the input field. This field should contain numeric values
- Syntax: <string>=<num>-<num>
- Description: The <attribute_name> is a string value that is output when the <numeric_range> matches the value in the <field>. The <attribute_name> is a output to the
rangefield. The <numeric_range> is the starting and ending values for the range. The values can be integers or floating point numbers. The first value must be lower than the second. The <numeric_range> can include negative values.
- Example: Dislike=-5--1 DontCare=0-0 Like=1-5
- Syntax: default=<string>
- Description: If the input field does not match a range, use this to define a default value.
- Default: "None"
range to "green" if the date_second is between 1-30; "yellow", if between 31-39; "red", if between 40-59; and "gray", if no range matches (for example, if date_second=0).
... | rangemap field=date_second green=1-30 yellow=31-39 red=40-59 default=gray
Sets the value of each event's
range field to "low" if its
count field is 0 (zero); "elevated", if between 1-100; "severe", otherwise.
... | rangemap field=count low=0-0 elevated=1-100 default=severe
Using rangemap with single value panels
The Single Value dashboard panel type can be configured to use
rangemap values. For example, Splunk ships with CSS that defines colors for low, elevated, and severe. You can customize the CSS for these values to apply different colors. Also, you have to edit the XML for the view to associate the colors with the
range value; to do this:
1. Go to Manager >> User interface >> Views and select the view you want to edit.
2. For the single value panel that uses the rangemap search, include the following line underneath the
<title /> tags:
So, if you had a view called "Example" and your search was named, "Count of events", your XML might look something like this:
<dashboard> <label>Example</label> <row> <single> <searchName>Count of events</searchName> <title>Count of events</title> <option name="classField">range</option> </single> </row> </dashboard>
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the rangemap command.
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15