Hi
I use this code in order to display the difference between the free space disk and the total space disk
I need to create a color alert in the field
when the difference between space disk and total disk is less than 20 GB, i want the field to be colored in orange and when the difference is less thant 10 GB i want the field colored in red
I dont need the display the difference value but just to color my field
I doesnt see any possibility to add a calcul in the color field rules
How to do please???
index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space"| search host=*
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100 | eval DiskSize = round(mb_free/1000,2)." MB / ".round(total_space/1000,2)." MB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize |sort -time
@jip31,
There are minor adjustments you need to get the actual result. The disk space from perfmon is on MB and by dividing by 1000 you are getting the space in GB and also it should be by 1024 instead of 1000 for accurate results. Also calculate the difference between the total and used eval diff=round((total_space-mb_free)/1024,2)
So the search will be
index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space"| search host=*
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100 | eval diff=round((total_space-mb_free)/1024,2)|eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize diff |sort -time
Once you have this in the table, you could change the color on basis of 'diff' column by just editing the visualization
https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormats
Sample dashboard - you might need to adjust the sourcetype and instance
<dashboard>
<label>perf</label>
<row>
<panel>
<table>
<search>
<query>index="perfmon" sourcetype="Perfmon:disk" counter="Free Megabytes" OR counter="% Free Space"
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100 | eval diff=round((total_space-mb_free)/1024,2) | eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M")
| table time host instance DiskSize,diff |sort -time</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="diff">
<colorPalette type="list">[#DC4E41,#EC9960,#53A051]</colorPalette>
<scale type="threshold">10,20</scale>
</format>
</table>
</panel>
</row>
</dashboard>
There are a whole bunch of different ways, none of them difficult, based on what you might be trying to do. I believe this first one may be what you are looking for, but there are some additional links at the end.
https://answers.splunk.com/answers/230164/how-to-get-a-table-cell-color-to-change-depending.html
Also, our awesome Splunk Trust member @niketnilay posted a great fully-described example here - https://answers.splunk.com/answers/583047/can-i-color-a-cell-based-on-condition.html
If you work your way through that, you should be able to get exactly what you need.
Here's some other references:
https://answers.splunk.com/answers/613766/how-can-i-change-the-color-of-the-single-value-vis.html
https://answers.splunk.com/answers/58335/change-chart-bar-color-based-on-data-value.html
https://answers.splunk.com/answers/469656/how-to-change-the-background-color-of-the-panels-i.html
https://answers.splunk.com/answers/200861/how-to-change-bar-colors-in-a-bar-chart-based-on-v.html
Thanks Dal 🙂 I think the question here by @jip31 is to color by difference but do not show difference in the table, rather show the free space alone (not even the total space). This is slightly tricky but possible thanks to the following post by @kamlesh_vaghela: https://answers.splunk.com/answers/661894/how-to-color-cell-contents-with-css-and-js.html#answer-661...
The approach of answer would be
1) To have table with with free space and total space both in the same field in the table (possibly with delimiter like comma or semi-colon between them).
2) Use Simple XML JS Extension to define Custom Table Cell Renderer for combined field. Use javaScript to Split the two values in Cell and get the difference.
3) Set the class for color based on range for difference.
4) Finally while rendering the table cell value keep only the Free space and discard the total space value.
Please try out and confirm whether you need a mock run anywhere example similar to your query.
@jip31,
There are minor adjustments you need to get the actual result. The disk space from perfmon is on MB and by dividing by 1000 you are getting the space in GB and also it should be by 1024 instead of 1000 for accurate results. Also calculate the difference between the total and used eval diff=round((total_space-mb_free)/1024,2)
So the search will be
index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space"| search host=*
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100 | eval diff=round((total_space-mb_free)/1024,2)|eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize diff |sort -time
Once you have this in the table, you could change the color on basis of 'diff' column by just editing the visualization
https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormats
Sample dashboard - you might need to adjust the sourcetype and instance
<dashboard>
<label>perf</label>
<row>
<panel>
<table>
<search>
<query>index="perfmon" sourcetype="Perfmon:disk" counter="Free Megabytes" OR counter="% Free Space"
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100 | eval diff=round((total_space-mb_free)/1024,2) | eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M")
| table time host instance DiskSize,diff |sort -time</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="diff">
<colorPalette type="list">[#DC4E41,#EC9960,#53A051]</colorPalette>
<scale type="threshold">10,20</scale>
</format>
</table>
</panel>
</row>
</dashboard>
@jip31,
This is missing in your search | eval diff=round((total_space-mb_free)/1024,2)
Try below
index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space"
| search host=$tok_filterhost$ | eval perc_free = if(counter="% Free Space",Value,null) | eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance | eval total_space = mb_free / (perc_free) * 100
| eval diff=round((total_space-mb_free)/1024,2)
| eval DiskSize = round(mb_free/1024,2)." MB / ".round(total_space/1024,2)." MB"|eval time = strftime(_time, "%d-%m-%y %H:%M")
| table time host instance DiskSize diff|sort -time
i have succedeed renjith but i would like to have the cell colored in the disksize field and not in the diff field....
As mentioned above by @niketnilay, you might need js , https://answers.splunk.com/answers/661894/how-to-color-cell-contents-with-css-and-js.html#answer-661...
Hello all and thanks
@ renjith : i have just added this in my xml
<format type="color" field="diff">
<colorPalette type="list">[#DC4E41,#EC9960,#53A051]</colorPalette>
<scale type="threshold">10,20</scale>
</format>
is it ok because the field is not colored?
The entire code is
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100 | eval DiskSize = round(mb_free/1024,2)." MB / ".round(total_space/1024,2)." MB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize |sort -time
10
row
progressbar
thanks