Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Coloring column dynamically based on all the results for a given column in a given search (AKA Conditional Formatting)

nitzan_b
New Member
‎05-27-2020 10:55 AM

I’m trying to apply a color logic to a specific column in a table by range and thresholds.
I have 1000 rows in that table, with 10 rows presented in each page.
The range of colors should be the same for all the values in the table, not only those that are presented in the current page.

alt text

As suggested here I tried using the following method:

        <format type="color" field="kw_blocks / total_kw_blocks">
          <colorPalette type="list">[#DC4E41,#F8BE34,#53A051]</colorPalette>
          <scale type="threshold">33,66</scale>
        </format>
        <format type="number" field="kw_blocks / total_kw_blocks">
          <option name="unit">%</option>
        </format>

The only issue in this solution is that it uses constant thresholds:

 <scale type="threshold">33,66</scale>

However In my case I don't know in advance what will be the max value and therefore I am getting it from the query search dynamically. Therefore I would like the thresholds to be percentile of this value.
It will look something like this:

<scale type="threshold">0.33*Max(kw_blocks / total_kw_blocks),0.66*Max(kw_blocks / total_kw_blocks)</scale>

Any idea how to do it?

Preview file
28 KB
0 Karma
Reply

niketn
Legend
‎05-27-2020 12:59 PM

@nitzan_b what is the logic that you need to apply for table cell color palette? If it is based on Range have you tried threshold based colorPalette? Following is an example:

    <format type="color" field="data">
      <colorPalette type="list">[#53A051,#B6C75A,#006D9C,#62B3B2,#F8BE34,#EC9960,#F1813F,#DC4E41]</colorPalette>
      <scale type="threshold">0,20,40,60,80,90,95</scale>
    </format>
    <format type="number" field="data">
      <option name="unit">%</option>
    </format>

If the logic is different and not covered by any of mechanism provided in Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/TableFormatsXML#Color_palette_types_and_opti..., then, please add details for the community to assist!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

nitzan_b
New Member
‎05-28-2020 12:44 AM

@niketnilay the solution you suggested is exactly what I need.
However when using threshold based colorPalette the problem is that I need to define constant thresholds:

<scale type="threshold">0,20,40,60,80,90,95</scale>

In my case I don't know in advance what will be the max value. I am getting it from the query dynamically. Therefore I would like the thresholds to be percentile of this value.
It will look something like this:

    <scale type="threshold">0.33*MaxData,0.66*MaxData</scale>

Is this doable?
I also tried to calculate these values in the query itself:

| eventstats max(data) as MaxValueColoring
| eval 33Precentile=0.33*MaxValueColoring, 66Precentile=0.66*MaxValueColoring

And then pass them as the thresholds values but this is not working either: 

 <scale type="threshold">33Precentile,66Precentile</scale>
0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...