Change color of group field based on tooltip condition in event timeline viz.

New Member

I have columns like Group label Tooltip start in event timeline viz.
Group label Tooltip start
A X No Error 3pm
A Y Error 4pm
B Z No Error 4pm
B X No Error 4pm
C Y Error 3Pm
C Z No Error 3Pm

  • I want to change the color of group field based on the condition of tooltip(if group A has tooltip value like No Error and Error the color should change to Red.) (if group B has tooltip value like No Error and No Error the color of group field should change to Green.)
0 Karma


@yadavshilpa what you join Group and Label as single field, then categorical color will be applied based on Tooltip.

| eval "Group - Label"=Group." - ".label
| fields - Group label
| table "Group - Label" Tooltip start

You can alternatively try the Timeline Custom Visualization as well. Following is a run- anywhere example based on the same

  <label>Timeline Example</label>
    <panel depends="$alwaysHideCSSPanel$">
            div.splunk-timeline-tooltip div.tooltip-meta p,
            div.splunk-timeline-tooltip div.tooltip-inner p.time-span-label{
            color: white !important;
      <title>Timeline with Categorical Colors</title>
      <viz type="timeline_app.timeline">
          <query>| makeresults
| eval data="A X NoError 3pm;A Y Error 4pm;B Z NoError 4pm;B X NoError 4pm;C Y Error 3pm;C Z NoError 3pm;"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval Group=mvindex(data,0),label=mvindex(data,1),Tooltip=mvindex(data,2),start=mvindex(data,3)
| eval Tooltip=case(Tooltip="NoError","No Error",true(),Tooltip)
| eval start_time=strftime(now(),"%Y/%m/%d")." 0".replace(start,"pm",":00:00 PM")
| eval _time=strptime(start_time,"%Y/%m/%d %H:%M:%S %p")
| eval "Group - label"=Group." - ".label
| eval duration=0
| fields - _m*
| fields _time "Group - label" Tooltip duration</query>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="timeline_app.timeline.axisTimeFormat">MINUTES</option>
        <option name="timeline_app.timeline.colorMode">categorical</option>
        <option name="timeline_app.timeline.maxColor">#DA5C5C</option>
        <option name="timeline_app.timeline.minColor">#FFE8E8</option>
        <option name="timeline_app.timeline.numOfBins">6</option>
        <option name="timeline_app.timeline.tooltipTimeFormat">MINUTES</option>
        <option name="timeline_app.timeline.useColors">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hi niketnilay,

Thanks for your response.

if i use | table "Group - Label" Tooltip start , then the error message has been generated stating "Error Rendering Event timeline viz vizualization please include the following fields in the search query Eg: |table group label start end tooltip".

I already have a columns like group label data start end tooltip. The group field color should change to green color if tooltip field is "no error" otherwise "red".

Note: For group field the background color option is not avaialble to change the color. when i inspect the element in google. Can anybody help me out whether backgroud color property is availble for group field in event timeline viz visualization.

0 Karma