Solved: Add Color to Specific Text within a Field?

itsmevic70 · ‎01-20-2023

I'm creating a ServiceNow Dashboard in Splunk, and there is a particular column called "dv_priority" that I'd like to assign a color code to. For example, their are four values assigned to dv_priority field, it's either going to "1 - Critical" , "2 - High" , "3 - Moderate" , "4 - Low", "5 - Informational"

I'd like to color code these values, for example "1 - Critical" (Red), "2 - High" (Orange), "3 - Moderate" (Yellow) and "4 - Low" (Purple) and "5 - Informational" (Green).

What would be the best approach SPL-wise in doing this with the below query?

index=servicenow sourcetype=* NOT dv_state IN("Closed", "Resolved", "Cancelled")
| eval dv_number = if(isnull(dv_number), task_effective_number, dv_number)
       | eval dv_number = if((isnull(dv_number) OR len('dv_number') == 0), DV_NUMBER, dv_number)
       | eval number = if((isnull(number) OR len('number') == 0), dv_number, number)
       | eval number = if((isnull(number) OR len('number') == 0), NUMBER, number)
       | eval number = if((isnull(number) OR len('number') == 0), "Error", number)
       | eval number = if(number!=dv_number, dv_number, number)
       | eval dv_u_subcategory = if((isnull(dv_u_subcategory) OR len('dv_u_subcetegory') == 0), DV_U_SUBCATEGORY, dv_u_subcategory)
       | eval dv_u_category = if((isnull(dv_u_category) OR len('dv_u_category')==0), DV_U_CATEGORY, dv_u_category)
| eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Analytics"), "Detect", dv_business_service)
       | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Engineering"), "Engineering", dv_business_service)
       | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), DV_BUSINESS_SERVICE, dv_business_service)
       | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_business_service')==0) AND dv_u_category="Notable" AND dv_u_subcategory="Security"), "Detect", dv_business_service)
       | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), "Error", dv_business_service)
       | eval dv_business_service = if(dv_u_category="Infrastructure", "Engineering", dv_business_service)
       | eval state = if((isnull(state) OR len('state')==0), STATE, state)
| eval dv_state = if((isnull(dv_state) AND state=1), "New", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=3), "Closed", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=6), "Resolved", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=11), "On-Hold", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=18), "In Progress - Customer", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=7), "Cancelled", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=10), "In Progress - dw", dv_state)
       | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), DV_STATE, dv_state)
       | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), "Error", dv_state)
       | eval dv_state = if(dv_state="Error" AND (isnotnull(closed_at) OR len('closed_at') == 0), "Resolved", dv_state)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), short_description, dv_short_description)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), case, dv_short_description)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), DV_SHORT_DESCRIPTION, dv_short_description)
| eval dv_category = if(dv_business_service="Detect", "MDR Analytics", dv_category)
       | eval closed_at = if((isnull(closed_at) OR len('closed_at')==0), CLOSED_AT, closed_at)
       | eval u_mttn = if((isnull(u_mttn) OR len('u_mttn')==0), U_MTTN, u_mttn)
       | eval u_mttca_2 = if((isnull(u_mttca_2) OR len('u_mttca_2')==0), U_MTTCA_2, u_mttca_2)
       | eval u_mttcv = if((isnull(u_mttcv) OR len('u_mttcv')==0), U_MTTCV, u_mttcv)
       | eval u_mttdi = if((isnull(u_mttdi) OR len('u_mttdi')==0), U_MTTDI, u_mttdi)
       | eval u_mttrv = if((isnull(u_mttrv) OR len('u_mttrv')==0), U_MTTRV, u_mttrv)
       | eval u_mttc = if((isnull(u_mttc) OR len('u_mttc')==0), U_MTTC, u_mttc)
       | table _time, number, dv_state, dv_priority, dv_u_category, dv_short_description,dv_assigned_to,dv_assignment_group, opened_at
| where dv_assignment_group="Security"
| sort - _time
| sort - dv_state
| dedup number

manjunathmeti · ‎01-23-2023

hi @itsmevic70,

Check this app from Splunk, Splunk Dashboard Examples. It has a dashboard with your use case.

View solution in original post

itsmevic70 · ‎01-23-2023

Thanks, Manjunathmeti.

manjunathmeti · ‎01-23-2023

hi @itsmevic70,

Check this app from Splunk, Splunk Dashboard Examples. It has a dashboard with your use case.

Add Color to Specific Text within a Field?

dashboard

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?