Community:Search Performance: Use Eval Instead of Rangemap

From Splunk Wiki

Jump to: navigation, search

You can achieve the feature Rangemap by eval with case() function. Rangemap is a python script while eval is c binary. So, Most of time eval could be more than four times faster.


#
# Example of rangemap
#

 | rangemap field=date_second green=1-30 blue=31-39 red=40-59 default=gray



#
# Instead of rangemap, use eval <field>=case()
# => Faster
#


index=_internal source="*metrics.log" per_index_thruput 
   | eval range=case(ev <= 50, "-50", ev <= 500,"-500", ev <= 5000, "-5000", ev > 5000, "Others" ) 
   | chart count by series, range

# You can use AND, OR
index=_internal source="*metrics.log" per_index_thruput 
   | eval range=case(ev >= 0 AND ev <= 50, "-50", ev > 50 AND ev <= 500,"-500", ev > 500 AND ev <= 5000, "-5000", ev > 5000, "Others" ) 
   | chart count by series, rang

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk