 
					
				
		
I am trying to match a timestamp field depending on how many minutes ago (0-9, or 10+). I'm using a colorPalette of type="expression" to color a table column based on the age of the data. The field is concatenated from _time and a field that is evaluated from now()-_time. Here's an example of my field:
05/07/18 - 12:44:32 (1 minutes ago)
<format type="color" field="Updated">
<colorPalette type="expression">if (match (value, ".*\(\d\s.*"), "0x65A637", "0xD93F3C")</colorPalette>
</format>
The same statement, as an eval to add a table column, works fine, so I don't think the problem is with the regex match.
 
					
				
		
@camillak, somehow complex regular expression for colorPalette i.e. \d{1} does not seem to work. Can you please try the following instead?
    <format type="color" field="Updated">
      <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
    </format>
Following is a run anywhere dashboard based on Splunk's internal indexes.
Following is the dashboard Simple XML code:
<dashboard>
  <label>Color based on Regular Expression Match</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Updated">
          <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
 
					
				
		
@camillak, somehow complex regular expression for colorPalette i.e. \d{1} does not seem to work. Can you please try the following instead?
    <format type="color" field="Updated">
      <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
    </format>
Following is a run anywhere dashboard based on Splunk's internal indexes.
Following is the dashboard Simple XML code:
<dashboard>
  <label>Color based on Regular Expression Match</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| metadata type=sourcetypes index=_*
| table sourcetype totalCount lastTime
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| eval Updated=round((now()-lastTime)/60,0)
| eval Updated=if(Updated<10,Updated." Minutes Ago","10+ Minutes Ago")</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="Updated">
          <colorPalette type="expression">if(match(value,"^[0-9] Minutes Ago"),"#65A637","#D93F3C")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
 
					
				
		
I had actually just figured this out. The \d and \( were both not working. The example that you posted is almost exactly what I needed. Because the number of minutes is not the beginning of my field, I still had to account for the open parenthesis. This worked for me:
<colorPalette type="expression">if (match (value, " .[0-9] minutes ago"), "0x65A637", "0xD93F3C")</colorPalette>
 
					
				
		
As pointed out by @jeffland seems like 8.x version supports case statement. Not sure which version onward this started working.
Following answer used case with match for applying colorPalette based on expression:
https://answers.splunk.com/answers/820403/how-to-change-font-color-based-on-a-condition-for.html
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Are you using the actual text "color1" and "color2"? Those should be RGB hex values like #FF0000 (for red), or #00FF00 (for blue).
I believe you need to specify the field in your <format> tag too.  Something like:
<format type="color" field="count"> 
 
					
				
		
Thanks for the suggestion, I am specifying the actual hex values, and have the field name in my format tag
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		I noticed your regex is invalid in your match.
.{0,}(\d{1}\s.{0,}
There is an incomplete grouping by having an open "(" without a closing ")".
 
					
				
		
I escaped it in the original, the code sample tool is not behaving as I would like.
 
					
				
		
I think that this is not possible, by the way - I tried a much simpler regex and it did not work.
if (match (value, "Online"), "0x65A637", "0xD93F3C")
This has no effect on the column color although Online is the value. Simple if
if ( value == "Online", "0x65A637", "0xD93F3C") 
works fine.
