Dashboards & Visualizations

Can I use ' if (match (X, "regex), Y, Z) ' in a colorPalette expression?

camillak
Path Finder

I am trying to match a timestamp field depending on how many minutes ago (0-9, or 10+). I'm using a colorPalette of type="expression" to color a table column based on the age of the data. The field is concatenated from _time and a field that is evaluated from now()-_time. Here's an example of my field:

05/07/18 - 12:44:32 (1 minutes ago)

<format type="color" field="Updated">
<colorPalette type="expression">if (match (value, ".*\(\d\s.*"), "0x65A637", "0xD93F3C")</colorPalette>
</format>
  • on my dashboard this returns 0x65A637 for (0-9 minutes ago), but also for (10+ minutes ago).

The same statement, as an eval to add a table column, works fine, so I don't think the problem is with the regex match.

0 Karma
1 Solution

niketn
Legend

@camillak, somehow complex regular expression for colorPalette i.e. \d{1} does not seem to work. Can you please try the following instead?

    <format type="color" field="Updated">
      <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
    </format>

Following is a run anywhere dashboard based on Splunk's internal indexes.

alt text

Following is the dashboard Simple XML code:

<dashboard>
  <label>Color based on Regular Expression Match</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Updated">
          <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@camillak, somehow complex regular expression for colorPalette i.e. \d{1} does not seem to work. Can you please try the following instead?

    <format type="color" field="Updated">
      <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
    </format>

Following is a run anywhere dashboard based on Splunk's internal indexes.

alt text

Following is the dashboard Simple XML code:

<dashboard>
  <label>Color based on Regular Expression Match</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Updated">
          <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

camillak
Path Finder

I had actually just figured this out. The \d and \( were both not working. The example that you posted is almost exactly what I needed. Because the number of minutes is not the beginning of my field, I still had to account for the open parenthesis. This worked for me:

<colorPalette type="expression">if (match (value, " .[0-9] minutes ago"), "0x65A637", "0xD93F3C")</colorPalette>

niketn
Legend

As pointed out by @jeffland seems like 8.x version supports case statement. Not sure which version onward this started working.

Following answer used case with match for applying colorPalette based on expression:
https://answers.splunk.com/answers/820403/how-to-change-font-color-based-on-a-condition-for.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jconger
Splunk Employee
Splunk Employee

Are you using the actual text "color1" and "color2"? Those should be RGB hex values like #FF0000 (for red), or #00FF00 (for blue).

I believe you need to specify the field in your <format> tag too. Something like:

<format type="color" field="count"> 
0 Karma

camillak
Path Finder

Thanks for the suggestion, I am specifying the actual hex values, and have the field name in my format tag

0 Karma

jconger
Splunk Employee
Splunk Employee

I noticed your regex is invalid in your match.

.{0,}(\d{1}\s.{0,}

There is an incomplete grouping by having an open "(" without a closing ")".

0 Karma

camillak
Path Finder

I escaped it in the original, the code sample tool is not behaving as I would like.

0 Karma

camillak
Path Finder

I think that this is not possible, by the way - I tried a much simpler regex and it did not work.

if (match (value, "Online"), "0x65A637", "0xD93F3C")

This has no effect on the column color although Online is the value. Simple if

if ( value == "Online", "0x65A637", "0xD93F3C") 

works fine.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...