topic Re: How do you change the background color of a timechart if there is a value of zero ? in Splunk Search

How do you change the background color of a timechart if there is a value of zero ?

DEAD_BEEF — Mon, 31 Dec 2018 03:36:40 GMT

I have a simple timechart that looks at the _internal index for various hosts and makes a simple timechart span by hour. I trellis this by host so I get say 8 medium sized timecharts that show log counts over the last 3 days. Sometimes, some of these hosts go down and the value obviously goes to zero.

How do I make the background panel for that host colored red when any of the values is zero? In other words, I want to capture the attention of my users when any of the hosts have a time when there are no logs. If this isn't possible, I'd be open to other suggestions that would get a users attention. I already have alerts set up as well, but this dashboard is also important, and I want to make it easier to capture the user's attention.

| tstats count where index=_internal host=myhost00* by host_time prestats=t span=1h
| timechart span=1h count by host

Final working SPL. Since I have multiple hosts, I just broke them down into individual searches and removed the <panel> tags to make them look like one big panel.

<dashboard>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <chart>
        <search id="pre">
          <query>| tstats count where index=_internal host=system1 BY host _time prestats=t span=1h
                 | timechart span=1h count AS mycount
          </query>
          <earliest>-48h@h</earliest>
          <latest>@h</latest>
        </search>
        <option name="charting.backgroundColor">$myColorToken$</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">preview</option>
      </chart>
    </panel>
  </row>
  <search base="pre">
    <query>| stats min(mycount) AS mincount</query>
    <done>
      <eval token="myColorToken">if($result.mincount$&lt;=0,"red","white")</eval>
    </done>
  </search>
</dashboard>

Re: How do you change the background color of a timechart if there is a value of zero ?

DalJeanis — Mon, 31 Dec 2018 18:18:24 GMT

With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done> set a background color based on that.

Updated with more details as per request...

In your SPL, you will do something like this

<search id="whatever">
    <query>
     ... your search stuff...
     | timechart span=1h count as mycount
    </query>
</search>

Elsewhere, you will have another search that uses that one as its base

<search base="whatever">
    <query>
    | stats min(mycount) as mincount
    </query>
     <done>
      <eval token="myColorToken">if($result.minfoo$&lt;=0,"red","green")</eval>
    </done>
</search>

In your chart, you are going to have a line like this...

<option name="charting.backgroundColor">$myColorToken$</option>

The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set> command with your color values and seeing that the backgroundColor option is working, and so on.

Unfortunately, trellis is a bit of a blunt instrument at the moment. I can see a way to do this with singles, but not timecharts.

Paging @niketnilay...

Re: How do you change the background color of a timechart if there is a value of zero ?

DEAD_BEEF — Mon, 31 Dec 2018 19:02:09 GMT

Hi @DalJeanis I think I can break up the SPL query into individual searches to avoid using trellis. Can you give me an example of how to do it with a "normal chart"? Then I can try implementing it via <done> as you mentioned?

Re: How do you change the background color of a timechart if there is a value of zero ?

DEAD_BEEF — Mon, 31 Dec 2018 23:00:47 GMT

Thank you @DalJeanis! Just needed to encode the "<" but otherwise it worked perfectly. First time for me using these tags, learning new SPL everyday.

Re: How do you change the background color of a timechart if there is a value of zero ?

DalJeanis — Tue, 01 Jan 2019 04:24:48 GMT

Ah, yes. updated < to <.

Re: How do you change the background color of a timechart if there is a value of zero ?

niketn — Wed, 02 Jan 2019 16:49:27 GMT

😄 I will keep quiet if this works straight-forward with several charts powered by individual queries. <condition match="$job.resultCount$==0"> (i.e. to capture Search returned no results) can also be used with <done> and <progress> Search Event Handlers to achieve same results to set background color of the chart!

Re: How do you change the background color of a timechart if there is a value of zero ?

DalJeanis — Wed, 02 Jan 2019 19:00:00 GMT

Yes, but I couldn't type that one as aircode, and didn't want to take the time to google the exact capitalization...