Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Color for text value

janitka
Explorer
‎01-28-2020 04:50 AM

Hello,

could someone help what to modify in bellow search, as i want to display red/green color if the value is True or False

sourcetype="xendesktop:7:machine" MachineName="$MachineName$" | table InMaintenanceMode | rename InMaintenanceMode as Maintenance | replace False with OFF in Maintenance | replace True with ON in Maintenance

Why is there no option for text, same as for numerical values?

Regards,
Jan

Tags (2)
Reply

efavreau
Motivator
‎01-28-2020 09:32 AM

@janitka There's lots of comparison operators and navigating which does what can be difficult. Especially since there can often be more than one way to get to an answer. However, you did the right thing and asking for opinions on Splunk Answers.
Use this run anywhere example to see that I can take the text you have given and created an example that results in a Maintenance column with ON and OFF values.

| makeresults
| eval _raw="MachineID,MachineName,MaintenanceMode
  1,Yoda,True
  2,Dooku,True
  3,Jinn,True
  4,Kenobi,False
  5,Skywalker,False
  6,Tano,False" 
| multikv 
| table MachineName MaintenanceMode
| eval State=case(
     match(MaintenanceMode,"True"), "ON",
     match(MaintenanceMode,"False"), "OFF"
     )
| rename State AS Maintenance

Here I am using a case statement to evaluate more than one case (or situation). Then I use the match function on the MaintenanceMode field, match on the word "True" and if it matches, call it "ON".
For me, there's a lot of power in using case and eval functions. I reference the following doc a lot when I get stuck:
https://docs.splunk.com/Documentation/Splunk/Latest/SearchReference/CommonEvalFunctions

Here are some screenshots of selecting colors based on text values. One is after you click the pencil/art brush in the top of the column, and the other is the result.
https://imgur.com/HTd182q
https://imgur.com/WfbZ0zL

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...