topic Time Field Coloring in Splunk Enterprise

Time Field Coloring

sswigart — Wed, 30 Aug 2023 22:28:34 GMT

I audit windows computers. My search looks for the date, time, EventCode and Account_Name:

Date Time EventCode Account_Name

2023/08/29 16:09:30 4624 jsmith

I would like the Time field to turn red when a user signs in after hours (1800 - 0559).

I have tried clicking on the pen in the time column and selecting Color than Ranges. I always get error messages about not putting the numbers in correct order.

What do I need to do?

Re: Time Field Coloring

bowesmana — Wed, 30 Aug 2023 23:37:57 GMT

You will have to the the use the colorPalette expression syntax as in the example below - you can simply copy this XML row into an existing dashboard to see how it works - it's a dummy search that just creates a random time and when it's in the out of hours range it goes red.

<row> <panel> <table> <title>Turning the Time column red if outside hours 18:00 to 06:00</title> <search> <query>| makeresults | eval _time=now() - (random() % 86400) | eval Date=strftime(_time, "%F"), Time=strftime(_time, "%T") | eval EventCode=4624, Account_Name="user ".(random() % 10) | table Date Time EventCode Account_Name</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="Time"> <colorPalette type="expression">if(tonumber(substr(value,1,2))>=18 OR tonumber(substr(value,1,2))<6, "#FF0000", "#FFFFFF")</colorPalette> </format> </table> </panel> </row>

Re: Time Field Coloring

sswigart — Wed, 06 Sep 2023 21:24:06 GMT

bowesmana'

Thank you for your response. I am new to Splunk. I do not understand all the code you provided. My next question is how do I incorporate the actual search using your code. Here is the search:

index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host"

| sort_time

| convert ctime(_time) as timestamp

| table, timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status

Re: Time Field Coloring

bowesmana — Wed, 06 Sep 2023 22:31:46 GMT

My example was XML for use in a classic dashboard - so if you take the entire XML below and create a new dashboard and paste in this into the source.

<dashboard version="1.1"> <row> <panel> <table> <title>Turning the Time column red if outside hours 18:00 to 06:00</title> <search> <query> index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host" | sort_time | convert ctime(_time) as timestamp | table timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="timestamp"> <colorPalette type="expression">if(tonumber(substr(value,12,2))>=18 OR tonumber(substr(value,12,2))<6, "#FF0000", "#FFFFFF")</colorPalette> </format> </table> </panel> </row> </dashboard>

This is what an XML dashboard looks like. You can see your search in the <search> section and the <format> section is what defines your colours and testing the time range.

That documentation for the format is here

https://docs.splunk.com/Documentation/Splunk/9.1.0/Viz/TableFormatsXML