Refine your search:

rangemap : more than 10 where count>10

0

Hello,

I have a question about rangemap. I want to create a search which allow to have the number of events by a field D_IPADD that I create and apply a rangemap. Red when there are more than 10 D_IPADD where count>10 and yellow where 10>count>5 but I don't know I can do it. I also want to see on the button the number of IP_ADRESS where count>10 for example. Actually my search allows to apply colors when at least one D_IPADD has more than 5 events or 10 and see the number of event but it isn't that I want.

Thanks by advance to your help.

<single> 
  <searchString>source=tcp:5555 PURCH_DAY=06-14 PURCH_DATE=19 |top 1 D_IPADD| rangemap field=count elevated=5-10 severe=10-100 default=low</searchString>

  <title>Monitoring IP adresses : more than 10 appearances</title>

  <earliestTime>-7d</earliestTime>

  <option name="beforeLabel">NB Transactions : </option>

  <option name="classField">range</option>

  <option name="field">count</option>

</single>

asked 24 Jun '12, 04:18

LauraBre's gravatar image

LauraBre
151238
accept rate: 14%

edited 24 Jun '12, 04:17

One Answer:
oldestnewestmost voted
1

Not to make it too simplistic, but could you not just define something like;

| rangemap field=count low=0-5 elevated=6-10 severe=11-100 default=severe

Since you know that between 0 and 5 is low and then by definition, anything greater than 100 is severe (assuming that is red) To see the IP address just add a table to the end of your query, something like 

| table IPFIELD,range
link

answered 24 Jun '12, 04:25

Drainy's gravatar image

Drainy
8.2k617
accept rate: 25%

1

Drainy is right on the rangemap, but it could be made simpler;

| rangemap field=count low=0-5 elevated=6-10 default=severe

Your original query would show that a count of 101 (or higher) is categorised as 'low'.

/k

(24 Jun '12, 11:34) kristian.kolb

Hah, good point old chap!

(24 Jun '12, 12:43) Drainy

Thx very much to yours answers but if I have several lines of results, my single in my xml doesn't work, no????

(24 Jun '12, 14:19) LauraBre

Well a single value is a statistical view, how can you present a singlevalue on several lines? Its a "single value" :). The idea is to perform a statistical report such as count, avg etc or to return only one event such as the head event with a head 1 and then output the contents of a field to your singlevalue

(24 Jun '12, 14:29) Drainy
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×46

Asked: 24 Jun '12, 04:18

Seen: 488 times

Last updated: 24 Jun '12, 14:29

Related questions

rangemap with too many values

count option in Table shows no more than 10 items

single rangemap displaying 'low' instead of number

Could I make the rangemap show Loading rather than N/A before it's search done?

rangemap : different timerange

rangemap issues in 4.2

Rangemap not working

rangemap does not work with decimals?

My rangemap can not show the right color

Copyright © 2005-2012 Splunk Inc. All rights reserved.