topic Re: Need help in some formatting the result in Splunk Search

Need help in some formatting the result

Ashish0405 — Tue, 10 Dec 2024 11:59:18 GMT

Hi Team,

I am Firewall engineer and working on creation of some dashboard.

I have created one dashboard whenever our firewall failover the dashboard will show result as "Active" & " Standby" & "Down" in Guage format.

However I would like to set up the dashboard in this way :

1) whenever firewall failover and it is in "down state" the guage color should be red

2) whenever firewall failover and it is in "Active state" the guage color should be Green

3) whenever firewall failover and it is in "Standby state" the guage color should be Amber

Does anyone know about it and help me with some sample examples to understand

Re: Need help in some formatting the result

dural_yyz — Tue, 10 Dec 2024 15:02:21 GMT

Is this an XML or Studio dashboard example? What viz are you using? custom vs OOTB?

Re: Need help in some formatting the result

bowesmana — Wed, 11 Dec 2024 05:34:14 GMT

I'm guessing this is Chris Younger's Number Display Viz - those spinner gauges look familiar

Is this what you're after - this is an example of setting the color field based on the desired colours

| makeresults format=csv data="State_Before,State_After,Cluster_Name DOWN,STANDBY,Host1 STANDBY,ACTIVE,Host2 STANDBY,DOWN,Host3" | eval color=case(State_After="DOWN", "#FF0000", State_After="ACTIVE", "#00FF00", State_After="STANDBY", "#FFBF00") | rename Cluster_Name as value, State_After as title | table title value color

and you end up with this

Re: Need help in some formatting the result

Ashish0405 — Wed, 11 Dec 2024 07:38:39 GMT

bowesmana ,

appreciate your help, thank you so much the script works for me

Re: Need help in some formatting the result

Ashish0405 — Wed, 11 Dec 2024 07:49:27 GMT

I am getting below error while using the script is their any mistake in placing the script shared by you ,

Previous script :

-------------------------

index=firewall (origin=10.254.17.* OR origin=10.254.252.* OR origin=10.254.253.*) OR *VGUK* OR *VGBR* OR *VGCY* OR *VGIN* OR *VGRU* OR *VGMY* OR *VGKC* OR *EQX* OR *PDN* OR *VSHW* | search "state change: * -> Down" OR "state change: * -> Standby" OR "state change: * -> Active" | rex field=_raw "^(?:[^:\n]*:){5}\s+(?P<State_before>[^ ]+)\s+\->\s+(?P<State_after>\w+)" | dedup Cluster_name | stats count by host,State_after

Re: Need help in some formatting the result

bowesmana — Wed, 11 Dec 2024 22:13:31 GMT

The use of makeresults is to show examples of how to use a technique, so what you need is the eval statement that sets the field 'color' based on the values of State_after. Add it after your stats command

| eval color=case(State_after="DOWN", "#FF0000", State_after="ACTIVE", "#00FF00", State_after="STANDBY", "#FFBF00")

Re: Need help in some formatting the result

Ashish0405 — Tue, 17 Dec 2024 06:55:38 GMT

Thank you !!! it worked !