Dashboards & Visualizations

Colour formatting when comparing field values against each other?

fflima
New Member

Not sure if this is a potential bug or simply not doable but trying to colour format a field whilst comparing it to the expected value of another field.

ie if field 1!= field 2 then colour field 1 as red

Below was the sample in the source used:

<format type="color" field="netbox_tenant">
<colorPalette type="expression"> if (netbox_tenant!=tenant,"#53A051","#DC4E41")</colorPalette>

Result looked like below:

fflima_0-1594046872590.png

 

Those top three should be green based on logic although it appears to colour everything with the first choice colour - have tried multiple different statements (case etc) but doesn't seem to want to work.

Any ideas?

Labels (2)
0 Karma

efavreau
Motivator

Hi @fflima!

By itself, you can't do that exactly as you are trying to. It appears that you already figured out the new column with pass/fail. That's how to go about something similar.

Cheers!

###

If this reply helps you, an upvote would be appreciated.
0 Karma

fflima
New Member

@efavreau  thanks for coming back!

Is this something that would be doable in the near future? Or could potentially have a feature request for?

The Pass/Fail at the end is an eval where I'm comparing 4-5 different fields that we might care about.

Was looking to colour the fields in the way I've described so that for each fail you see exactly which field/s causes the overall fail.

I have other pages similar to this where I'll be doing pass/fail logic comparing 10+ fields - alternative would be to create a column per item checked as well as this overall Pass/Fail column although you wouldn't see nicely which field is the failing item.. 

0 Karma

efavreau
Motivator

@fflimaI don't know if such a feature would be coming. Likely Splunk won't comment on that. Ideas can be posted to https://ideas.splunk.com/ (there's a link at the top of the page here within the Splunk Community site). You are correct, having a new column that does the comparison for each would be a way to solve it. If there's another way, maybe someone else in the community knows.

However, when I've used a similar approach, I had another column called "Reason". I can't grab the logic right now (I used a couple case statements IIRC), so hopefully you can follow what I am trying to say.

If "pass" value, reason = ""

If "fail" value, reason = "Failed on ".fieldname

The magic there is the "." is concatenating the name of your field that failed, with the "Failed on " phrase. You can't make it red without JavaScript (https://community.splunk.com/t5/Splunk-Search/Wilde-card-is-not-working-for-when-using-colorPalette-... but it would tell you more easily, the reason for the fail.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...