Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add Color to Specific Text within a Field?

itsmevic70
Explorer
‎01-20-2023 11:00 AM

I'm creating a ServiceNow Dashboard in Splunk, and there is a particular column called "dv_priority" that I'd like to assign a color code to.  For example, their are four values assigned to dv_priority field, it's either going to "1 - Critical" ,  "2 - High" , "3 - Moderate" , "4 - Low", "5 - Informational"

 
I'd like to color code these values, for example "1 - Critical" (Red), "2 - High" (Orange), "3 - Moderate" (Yellow) and "4 - Low" (Purple) and "5 - Informational" (Green).

What would be the best approach SPL-wise in doing this with the below query?

 

 

index=servicenow sourcetype=* NOT dv_state IN("Closed", "Resolved", "Cancelled")
| eval dv_number = if(isnull(dv_number), task_effective_number, dv_number)
       | eval dv_number = if((isnull(dv_number) OR len('dv_number') == 0), DV_NUMBER, dv_number)
       | eval number = if((isnull(number) OR len('number') == 0), dv_number, number)
       | eval number = if((isnull(number) OR len('number') == 0), NUMBER, number)
       | eval number = if((isnull(number) OR len('number') == 0), "Error", number)
       | eval number = if(number!=dv_number, dv_number, number)
       | eval dv_u_subcategory = if((isnull(dv_u_subcategory) OR len('dv_u_subcetegory') == 0), DV_U_SUBCATEGORY, dv_u_subcategory)
       | eval dv_u_category = if((isnull(dv_u_category) OR len('dv_u_category')==0), DV_U_CATEGORY, dv_u_category)
| eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Analytics"), "Detect", dv_business_service)
       | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Engineering"), "Engineering", dv_business_service)
       | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), DV_BUSINESS_SERVICE, dv_business_service)
       | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_business_service')==0) AND dv_u_category="Notable" AND dv_u_subcategory="Security"), "Detect", dv_business_service)
       | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), "Error", dv_business_service)
       | eval dv_business_service = if(dv_u_category="Infrastructure", "Engineering", dv_business_service)
       | eval state = if((isnull(state) OR len('state')==0), STATE, state)
| eval dv_state = if((isnull(dv_state) AND state=1), "New", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=3), "Closed", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=6), "Resolved", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=11), "On-Hold", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=18), "In Progress - Customer", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=7), "Cancelled", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=10), "In Progress - dw", dv_state)
       | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), DV_STATE, dv_state)
       | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), "Error", dv_state)
       | eval dv_state = if(dv_state="Error" AND (isnotnull(closed_at) OR len('closed_at') == 0), "Resolved", dv_state)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), short_description, dv_short_description)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), case, dv_short_description)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), DV_SHORT_DESCRIPTION, dv_short_description)
| eval dv_category = if(dv_business_service="Detect", "MDR Analytics", dv_category)
       | eval closed_at = if((isnull(closed_at) OR len('closed_at')==0), CLOSED_AT, closed_at)
       | eval u_mttn = if((isnull(u_mttn) OR len('u_mttn')==0), U_MTTN, u_mttn)
       | eval u_mttca_2 = if((isnull(u_mttca_2) OR len('u_mttca_2')==0), U_MTTCA_2, u_mttca_2)
       | eval u_mttcv = if((isnull(u_mttcv) OR len('u_mttcv')==0), U_MTTCV, u_mttcv)
       | eval u_mttdi = if((isnull(u_mttdi) OR len('u_mttdi')==0), U_MTTDI, u_mttdi)
       | eval u_mttrv = if((isnull(u_mttrv) OR len('u_mttrv')==0), U_MTTRV, u_mttrv)
       | eval u_mttc = if((isnull(u_mttc) OR len('u_mttc')==0), U_MTTC, u_mttc)
       | table _time, number, dv_state, dv_priority, dv_u_category, dv_short_description,dv_assigned_to,dv_assignment_group, opened_at
| where dv_assignment_group="Security"
| sort - _time
| sort - dv_state
| dedup number

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-23-2023 01:52 AM

hi @itsmevic70,

Check this app from Splunk, Splunk Dashboard Examples. It has a dashboard with your use case.

View solution in original post

Reply
Solved! Jump to solution

itsmevic70
Explorer
‎01-23-2023 06:39 AM

Thanks, Manjunathmeti.

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-23-2023 01:52 AM

hi @itsmevic70,

Check this app from Splunk, Splunk Dashboard Examples. It has a dashboard with your use case.

Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...