rangemap
Description
Use the rangemap command to categorize the values in a numeric field. The command adds in a new field called range to each event and displays the category in the range field. The values in the range field are based on the numeric ranges that you specify.
Set the range field to the names of any attribute_name that the value of the input field is within. If no range is matched, the range value is set to the default value.
The ranges that you set can overlap. If you have overlapping values, the range field is created as a multivalue field containing all the values that apply. For example, if low=1-10, elevated=5-15, and the input field value is 10, range=low and code=elevated.
Syntax
The required syntax is in bold.
- rangemap
- field=<string>
- [<attribute_name>=<numeric_range>]...
- [default=<string>]
Required arguments
- field
- Syntax: field=<string>
- Description: The name of the input field. This field must contain numeric values.
Optional arguments
- attribute_name=numeric_range
- Syntax: <string>=<num>-<num>
- Description: The <attribute_name> is a string value that is output when the <numeric_range> matches the value in the <field>. The <attribute_name> is a output to the
rangefield. The <numeric_range> is the starting and ending values for the range. The values can be integers or floating point numbers. The first value must be lower than the second. The <numeric_range> can include negative values. - Example: Dislike=-5--1 DontCare=0-0 Like=1-5
- default
- Syntax: default=<string>
- Description: If the input field does not match a range, use this to define a default value.
- Default: "None"
Usage
The rangemap command is a distributable streaming command. See Command types.
Basic examples
Example 1:
Set range to "green" if the date_second is between 1-30; "blue", if between 31-39; "red", if between 40-59; and "gray", if no range matches (for example, if date_second=0).
... | rangemap field=date_second green=1-30 blue=31-39 red=40-59 default=gray
Example 2:
Sets the value of each event's range field to "low" if its count field is 0 (zero); "elevated", if between 1-100; "severe", otherwise.
... | rangemap field=count low=0-0 elevated=1-100 default=severe
Extended example
| This example uses recent earthquake data downloaded from the USGS Earthquakes website. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), etc., for each earthquake recorded.
|
This search counts the number and magnitude of each earthquake that occurred in and around Alaska. Then a color is assigned to each magnitude using the rangemap command.
source=all_month.csv place=*alaska* mag>=3.5
| stats count BY mag
| rename mag AS magnitude
| rangemap field=magnitude light=3.9-4.3 strong=4.4-4.9 severe=5.0-9.0 default=weak
The results look something like this:
| magnitude | count | range |
|---|---|---|
| 3.7 | 15 | weak |
| 3.8 | 31 | weak |
| 3.9 | 29 | light |
| 4 | 22 | light |
| 4.1 | 30 | light |
| 4.2 | 15 | light |
| 4.3 | 10 | light |
| 4.4 | 22 | strong |
| 4.5 | 3 | strong |
| 4.6 | 8 | strong |
| 4.7 | 9 | strong |
| 4.8 | 6 | strong |
| 4.9 | 6 | strong |
| 5 | 2 | severe |
| 5.1 | 2 | severe |
| 5.2 | 5 | severe |
Summarize the results by range value
source=all_month.csv place=*alaska* mag>=3.5
| stats count BY mag
| rename mag AS magnitude
| rangemap field=magnitude green=3.9-4.2 yellow=4.3-4.6 red=4.7-5.0 default=gray
| stats sum(count) by range
The results look something like this:
| range | sum(count) |
|---|---|
| gray | 127 |
| green | 96 |
| red | 23 |
| yellow | 43 |
Arrange the results in a custom sort order
By default the values in the search results are in descending order by the sum(count) field. You can apply a custom sort order to the results using the eval command with the case function.
source=all_month.csv place=*alaska* mag>=3.5
| stats count BY mag
| rename mag AS magnitude
| rangemap field=magnitude green=3.9-4.2 yellow=4.3-4.6 red=4.7-5.0 default=gray
| stats sum(count) by range
| eval sort_field=case(range="red",1, range="yellow",2, range="green",3, range="gray",4)
| sort sort_field
The results look something like this:
| range | sum(count) | sort_field |
|---|---|---|
| red | 23 | 1 |
| yellow | 43 | 2 |
| green | 96 | 3 |
| gray | 127 | 4 |
See also
- Commands
- eval
| predict | rare |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!