All Apps and Add-ons

How to set colors for value column in dashboard?

tunglt7
Engager

Hi everyone,

I used APP NMON PERFORMANCE BY OCTAMIS to monitor linux/unix servers and I have a source dashboard :

<dashboard>
  <label>test</label>
  <row>
    <panel>
      <title>test</title>
      <single>
        <search>
          <query>eventtype=nmon:performance type=CPU_ALL OR type=MEM OR type=DISKBUSY frameID=* host=* | stats avg(Sys_PCT) AS CPU_Sys, avg(User_PCT) AS CPU_User, avg(Wait_PCT) AS CPU_Wait, avg(cpu_load_percent) AS cpu_load_percent, avg(swap_used_effective_PCT) AS MEM_swap_used, avg(value) AS Disk_Busy by host | where CPU_Sys>40 OR User_PCT>75 OR Wait_PCT>10 OR cpu_load_percent>90 OR MEM_swap_used>20 OR Disk_Busy>75 | stats count</query>
          <earliest>rt-5m</earliest>
          <latest>rt</latest>
          <refresh>5m</refresh>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">all</option>
        <option name="height">50</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="refresh.display">none</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</dashboard>

alt text
When I click number 3 then it displayed a value table.
I want when it shows up on the screen only have issue value for example: MEM_swap_used>20 OR setting color highlight for column
alt text

Can someone help me please?

0 Karma

evania
Splunk Employee
Splunk Employee

Hi @tunglt7 ,

Did you have a chance to check out an answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma

tunglt7
Engager

Hi @evzhang_splunk

My problem is still not solved, how can I update it?

0 Karma

tunglt7
Engager

Thanks your answer, Niketnilay.

I understand what you said.
But my dashboard for tracking performance servers, may occur one of the following problems will warn red:
| where CPU_Sys>40 OR User_PCT>75 OR Wait_PCT>10 OR cpu_load_percent>90 OR MEM_swap_used>20 OR Disk_Busy>75 and print out the current problem numbers screen: | stats count
alt text

And then I click on the displayed number, it will show a value table like the picture. I want the value column to exceed the set threshold, it will be highlighted.
alt text

Your code when entering source dashboard is invalid, Because my dashboard is to display the number of issues that occurred at that time, not the value table.

         <format type="color" field="Mem_swap_used">
           <colorPalette type="list">[#FFFFFF,#DC4E41]</colorPalette>
           <scale type="threshold">20</scale>
         </format>

Or Can you help me give an idea that after I click the display the number of issues, the value table displays only the problem column.

Thanks.

0 Karma

niketn
Legend

For filtering the results with Mem_swap_used you can use
Following filter if Mem_swap_used is a derived field immediately after the field is available in the previous pipe | result

| where Mem_swap_used>20

Or if you can filter directly in the index data

<yourMainSearchQuery> Mem_swap_used>20

If you want to color Mem_swap_used>20, you can use following Simple XML code (provided you are on Splunk 6.5 or higher). You can color directly from UI Edit option as well by clicking on specific Edit pen icon on the column where color by value is applicable. Refer to Splunk documentation on Formatting Table Columns:

    <format type="color" field="Mem_swap_used">
      <colorPalette type="list">[#FFFFFF,#DC4E41]</colorPalette>
      <scale type="threshold">20</scale>
    </format>

Following is a run anywhere Dashboard Example that you can try:

<dashboard>
  <label>Table color by range</label>
  <description>Color Cells with Mem_swap_used>20</description>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults count=3
| eval Mem_swap_used=random()
| eval Mem_swap_used=substr(Mem_swap_used,1,2)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Mem_swap_used">
          <colorPalette type="list">[#FFFFFF,#DC4E41]</colorPalette>
          <scale type="threshold">20</scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tunglt7
Engager

Hi Niketnilay,
Please reply for my answer as below.
Tks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...