Solved: Re: Color change based on value for single value v...

alexspunkshell · ‎08-19-2019

I am receiving 8 count for below query. If logs are receiving at particular time it should display count and color as Green if not it should be in RED color.
Example - If logs are there for 7.10 to 7.20 and no logs at 9.10 to 9.20 it should display as 1 (for 7.10 to 7.20) and color as RED (because no log at 9.10 to 9.20).
Please help me here

index=mssql_db source=event_log "Completed : Automated Process Aii - Hunter : 29 : System Process - Ai2 Express Queue" | eval date_hourmin = strftime(_time, "%H%M%S") | where (date_hourmin >= 071000 AND date_hourmin <= 072000) OR (date_hourmin >= 091000 AND date_hourmin <= 092000) OR (date_hourmin >= 111000 AND date_hourmin <= 112000) OR (date_hourmin >= 131000 AND date_hourmin <= 132000) OR (date_hourmin >= 151000 AND date_hourmin <= 152000) OR (date_hourmin >= 171000 AND date_hourmin <= 172000) OR (date_hourmin >= 191000 AND date_hourmin <= 192000) OR (date_hourmin >= 211000 AND date_hourmin <= 212000) |stats count

alexspunkshell · ‎08-20-2019

@ALXWBR Thanks for your reply !!! From your query i could able to find the missing logs. Thanks much.

Now if any logs missed at that particular time, then the single value visualization should change to RED color. Else it should be in Green color.

Example - If any logs missed at 7 AM or 9 AM or 11 AM or any time then it should change the visualization color to RED.

Please help here.

View solution in original post

alexspunkshell · ‎08-20-2019

@ALXWBR Thanks for your reply !!! From your query i could able to find the missing logs. Thanks much.

Now if any logs missed at that particular time, then the single value visualization should change to RED color. Else it should be in Green color.

Example - If any logs missed at 7 AM or 9 AM or 11 AM or any time then it should change the visualization color to RED.

Please help here.

ALXWBR · ‎01-28-2020

Hi @alexspunkshell

On the single viz, select format visualisation, then select color.
Under use colors, select 'Yes'
Then change the first range from min to 0 with color red and set the second range from 0 to max with color green.

ALXWBR · ‎08-20-2019

Hi

I'm a little confused as to what you are actually trying to achieve here, but if it's a count of time ranges where there are zero logs then you could try the below?

index=mssql_db source=event_log "Completed : Automated Process Aii - Hunter : 29 : System Process - Ai2 Express Queue" 
| eval date_hourmin = strftime(_time, "%H%M%S"), 
    time_bin = case(date_hourmin >= 071000 AND date_hourmin <= 072000, "07", date_hourmin >= 091000 AND date_hourmin <= 092000, "09", date_hourmin >= 111000 AND date_hourmin <= 112000, "11", date_hourmin >= 131000 AND date_hourmin <= 132000, "13", date_hourmin >= 151000 AND date_hourmin <= 152000, "15", date_hourmin >= 171000 AND date_hourmin <= 172000, "17", date_hourmin >= 191000 AND date_hourmin <= 192000, "19", date_hourmin >= 211000 AND date_hourmin <= 212000, "21") 
| stats count as logs by time_bin
| stats count(eval(logs=0)) as missing_logs

Color change based on value for single value visualization

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation