Dashboards & Visualizations

Configure colour coded results by default

quixand
Path Finder

Hi all

How do you configure colour coding in general search results. I know i can use the rangemap command but in apps like OSSEC some general results are highlighted in a red border without using rangemap in the search string?

cheers

1 Solution

southeringtonp
Motivator

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
      http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

  • Create eventtypes in eventtypes.conf for each set of events to be colorized.
  • Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
  • Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
     http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Probably you are seeing the High-Low Overlay, which can be selected manually in any search results, or configured in Advanced XML with the "DataOverlay" module. I don't think there is an option to force-set it in Simple XML. There is also a Heatmap Overlay. Unfortunately, there really isn't a way to create any other overlays or significantly change these, but you might be able to use custom event renderers to do what you need.

0 Karma

southeringtonp
Motivator

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
      http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

  • Create eventtypes in eventtypes.conf for each set of events to be colorized.
  • Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
  • Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
     http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

albyva
Communicator

Ugh.. Nothing simply like | where XXX>1000 turn red

???

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...