Dashboards & Visualizations

Can I use ' if (match (X, "regex), Y, Z) ' in a colorPalette expression?

camillak
Path Finder

I am trying to match a timestamp field depending on how many minutes ago (0-9, or 10+). I'm using a colorPalette of type="expression" to color a table column based on the age of the data. The field is concatenated from _time and a field that is evaluated from now()-_time. Here's an example of my field:

05/07/18 - 12:44:32 (1 minutes ago)

<format type="color" field="Updated">
<colorPalette type="expression">if (match (value, ".*\(\d\s.*"), "0x65A637", "0xD93F3C")</colorPalette>
</format>
  • on my dashboard this returns 0x65A637 for (0-9 minutes ago), but also for (10+ minutes ago).

The same statement, as an eval to add a table column, works fine, so I don't think the problem is with the regex match.

0 Karma
1 Solution

niketn
Legend

@camillak, somehow complex regular expression for colorPalette i.e. \d{1} does not seem to work. Can you please try the following instead?

    <format type="color" field="Updated">
      <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
    </format>

Following is a run anywhere dashboard based on Splunk's internal indexes.

alt text

Following is the dashboard Simple XML code:

<dashboard>
  <label>Color based on Regular Expression Match</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Updated">
          <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@camillak, somehow complex regular expression for colorPalette i.e. \d{1} does not seem to work. Can you please try the following instead?

    <format type="color" field="Updated">
      <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
    </format>

Following is a run anywhere dashboard based on Splunk's internal indexes.

alt text

Following is the dashboard Simple XML code:

<dashboard>
  <label>Color based on Regular Expression Match</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Updated">
          <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

camillak
Path Finder

I had actually just figured this out. The \d and \( were both not working. The example that you posted is almost exactly what I needed. Because the number of minutes is not the beginning of my field, I still had to account for the open parenthesis. This worked for me:

<colorPalette type="expression">if (match (value, " .[0-9] minutes ago"), "0x65A637", "0xD93F3C")</colorPalette>

niketn
Legend

As pointed out by @jeffland seems like 8.x version supports case statement. Not sure which version onward this started working.

Following answer used case with match for applying colorPalette based on expression:
https://answers.splunk.com/answers/820403/how-to-change-font-color-based-on-a-condition-for.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jconger
Splunk Employee
Splunk Employee

Are you using the actual text "color1" and "color2"? Those should be RGB hex values like #FF0000 (for red), or #00FF00 (for blue).

I believe you need to specify the field in your <format> tag too. Something like:

<format type="color" field="count"> 
0 Karma

camillak
Path Finder

Thanks for the suggestion, I am specifying the actual hex values, and have the field name in my format tag

0 Karma

jconger
Splunk Employee
Splunk Employee

I noticed your regex is invalid in your match.

.{0,}(\d{1}\s.{0,}

There is an incomplete grouping by having an open "(" without a closing ")".

0 Karma

camillak
Path Finder

I escaped it in the original, the code sample tool is not behaving as I would like.

0 Karma

camillak
Path Finder

I think that this is not possible, by the way - I tried a much simpler regex and it did not work.

if (match (value, "Online"), "0x65A637", "0xD93F3C")

This has no effect on the column color although Online is the value. Simple if

if ( value == "Online", "0x65A637", "0xD93F3C") 

works fine.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...