Dashboards & Visualizations

Change color of single value visualization

AlexMcDuffMille
Communicator

I'm creating a dashboard panel that will say if something Available or Unavailable based on if the count of 'DOWN' is greater than 0 over the last 20 minutes. I'm using this command after my search, and after I count the number of times 'DOWN' appears in the logs: | eval is_available=if(DOWN > 0, "Unavailable", "Available") | table is_available

I'm using a single value display to represent this on my dashboard.

I would like to change the color so that it's green when it says 'Available' and red when it says 'Unavailable'. Does anyone know how to do this? I don't think rangemap will work because if I configure rangemap based on the 'DOWN' field it will affect the is_availible field, which is the field that I'm actually sending to the visualization.

Thanks!

0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

Range map sets a field to a value. That field is then called out in your single value button's config as "the field that dictates the (CSS) class to apply", and the value of that field is the name of the class.

A couple of classes out of the box are "low" (green), "elevated" (amber), and "severe" (red).

So if you did something like eval class=if(DOWN > 0, "severe", "low") you'd end up with a field to drive the color. The single value in Simple XML then looks like this:

<single>
  <title>Blah</title>
  <searchString>your search here</searchString>
  <option name="classField">class</option>
  <option name="field">is_available</option>
<single>

View solution in original post

sowings
Splunk Employee
Splunk Employee

Range map sets a field to a value. That field is then called out in your single value button's config as "the field that dictates the (CSS) class to apply", and the value of that field is the name of the class.

A couple of classes out of the box are "low" (green), "elevated" (amber), and "severe" (red).

So if you did something like eval class=if(DOWN > 0, "severe", "low") you'd end up with a field to drive the color. The single value in Simple XML then looks like this:

<single>
  <title>Blah</title>
  <searchString>your search here</searchString>
  <option name="classField">class</option>
  <option name="field">is_available</option>
<single>

whistl034
Explorer

Actually, now the GUI adds a way to do this, in later versions. Edit the dashboard, edit the search of the single panel you want to colorize to remove rangemap, so you're just presenting a numeric value. The right most menu, looks to me like a little pen, click that, and click on Colors. Turn Use Colors on and define your ranges and colors here.

From the Simple XML editor, use this:

<title>Total Transactions</title>
<search base="perf2data">
  <query>stats sum(TOTAL) as TOTAL</query>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0xf7bc38","0xd93f3c"]</option>
<option name="rangeValues">[7500000,10000000]</option>
<option name="useColors">1</option>

avisram
Path Finder

Please note that this solution worked however the word "class" (in the eval statement) must be a reserved word now (I'm using 6.3.3). It wasn't until I changed this to some other value (I used the word "range") that it worked.

0 Karma

sowings
Splunk Employee
Splunk Employee

Try it without the rangemap, and without the table at the end.

First, rangemap is redundant here, because you're expressly setting the class field.

Second, the table command is only showing the is_available field, meaning that your class field is discarded. Make it at least table is_available, class, or leave off the table command entirely.

allan_newton
Path Finder
0 Karma

AlexMcDuffMille
Communicator

It's still just showing up as black. I think the value of 'class' should be driving the color, right?

Right now my XML looks like this:
SPLUNKSEARCH
TITLE
class
is_available

And my search looks like this:

search...search...search...
| stats count as TOTAL, count(eval(SERVICE="2")) as DOWN

| eval is_available=if(DOWN > 0, "Unavailable", "Available") | eval class=if(DOWN > 0, "severe", "low")

| rangemap field=DOWN low=0-0 default=severe
| table is_available

Thanks!

Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...