Solved: Configure colour coded results by default

quixand · ‎11-07-2010

Hi all

How do you configure colour coding in general search results. I know i can use the rangemap command but in apps like OSSEC some general results are highlighted in a red border without using rangemap in the search string?

cheers

southeringtonp · ‎11-07-2010

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

Create eventtypes in eventtypes.conf for each set of events to be colorized.
Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

View solution in original post

gkanapathy · ‎11-07-2010

Probably you are seeing the High-Low Overlay, which can be selected manually in any search results, or configured in Advanced XML with the "DataOverlay" module. I don't think there is an option to force-set it in Simple XML. There is also a Heatmap Overlay. Unfortunately, there really isn't a way to create any other overlays or significantly change these, but you might be able to use custom event renderers to do what you need.

southeringtonp · ‎11-07-2010

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

Create eventtypes in eventtypes.conf for each set of events to be colorized.
Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

albyva · ‎09-17-2013

Ugh.. Nothing simply like | where XXX>1000 turn red

???

Configure colour coded results by default

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...