Solved: Re: Add Color to Specific Text within a Field

itsmevic70 · ‎01-20-2023

I'm creating a ServiceNow Dashboard in Splunk, and there is a particular column called "dv_priority" that I'd like to assign a color code to. For example, their are four values assigned to dv_priority field, it's either going to "1 - Critical" , "2 - High" , "3 - Moderate" , "4 - Low", "5 - Informational"

I'd like to color code these values, for example "1 - Critical" (Red), "2 - High" (Orange), "3 - Moderate" (Yellow) and "4 - Low" (Purple) and "5 - Informational" (Green).

What would be the best approach SPL-wise in doing this with the below query?

index=servicenow sourcetype=* NOT dv_state IN("Closed", "Resolved", "Cancelled")
| eval dv_number = if(isnull(dv_number), task_effective_number, dv_number)
       | eval dv_number = if((isnull(dv_number) OR len('dv_number') == 0), DV_NUMBER, dv_number)
       | eval number = if((isnull(number) OR len('number') == 0), dv_number, number)
       | eval number = if((isnull(number) OR len('number') == 0), NUMBER, number)
       | eval number = if((isnull(number) OR len('number') == 0), "Error", number)
       | eval number = if(number!=dv_number, dv_number, number)
       | eval dv_u_subcategory = if((isnull(dv_u_subcategory) OR len('dv_u_subcetegory') == 0), DV_U_SUBCATEGORY, dv_u_subcategory)
       | eval dv_u_category = if((isnull(dv_u_category) OR len('dv_u_category')==0), DV_U_CATEGORY, dv_u_category)
| eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Analytics"), "Detect", dv_business_service)
       | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_u_business_service')==0) AND dv_category="MDR Engineering"), "Engineering", dv_business_service)
       | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), DV_BUSINESS_SERVICE, dv_business_service)
       | eval dv_business_service = if(((isnull(dv_business_service) OR len('dv_business_service')==0) AND dv_u_category="Notable" AND dv_u_subcategory="Security"), "Detect", dv_business_service)
       | eval dv_business_service = if((isnull(dv_business_service) OR len('dv_u_business_service')==0), "Error", dv_business_service)
       | eval dv_business_service = if(dv_u_category="Infrastructure", "Engineering", dv_business_service)
       | eval state = if((isnull(state) OR len('state')==0), STATE, state)
| eval dv_state = if((isnull(dv_state) AND state=1), "New", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=3), "Closed", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=6), "Resolved", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=11), "On-Hold", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=18), "In Progress - Customer", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=7), "Cancelled", dv_state)
       | eval dv_state = if((isnull(dv_state) AND state=10), "In Progress - dw", dv_state)
       | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), DV_STATE, dv_state)
       | eval dv_state = if((isnull(dv_state) OR len('dv_state')==0), "Error", dv_state)
       | eval dv_state = if(dv_state="Error" AND (isnotnull(closed_at) OR len('closed_at') == 0), "Resolved", dv_state)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), short_description, dv_short_description)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), case, dv_short_description)
       | eval dv_short_description = if((isnull(dv_short_description) OR len('dv_short_description') == 0), DV_SHORT_DESCRIPTION, dv_short_description)
| eval dv_category = if(dv_business_service="Detect", "MDR Analytics", dv_category)
       | eval closed_at = if((isnull(closed_at) OR len('closed_at')==0), CLOSED_AT, closed_at)
       | eval u_mttn = if((isnull(u_mttn) OR len('u_mttn')==0), U_MTTN, u_mttn)
       | eval u_mttca_2 = if((isnull(u_mttca_2) OR len('u_mttca_2')==0), U_MTTCA_2, u_mttca_2)
       | eval u_mttcv = if((isnull(u_mttcv) OR len('u_mttcv')==0), U_MTTCV, u_mttcv)
       | eval u_mttdi = if((isnull(u_mttdi) OR len('u_mttdi')==0), U_MTTDI, u_mttdi)
       | eval u_mttrv = if((isnull(u_mttrv) OR len('u_mttrv')==0), U_MTTRV, u_mttrv)
       | eval u_mttc = if((isnull(u_mttc) OR len('u_mttc')==0), U_MTTC, u_mttc)
       | table _time, number, dv_state, dv_priority, dv_u_category, dv_short_description,dv_assigned_to,dv_assignment_group, opened_at
| where dv_assignment_group="Security"
| sort - _time
| sort - dv_state
| dedup number

manjunathmeti · ‎01-23-2023

hi @itsmevic70,

Check this app from Splunk, Splunk Dashboard Examples. It has a dashboard with your use case.

View solution in original post

itsmevic70 · ‎01-23-2023

Thanks, Manjunathmeti.

manjunathmeti · ‎01-23-2023

hi @itsmevic70,

Check this app from Splunk, Splunk Dashboard Examples. It has a dashboard with your use case.

Add Color to Specific Text within a Field?

dashboard

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Add Color to Specific Text within a Field?

dashboard

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases