- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
How do you configure colour coding in general search results. I know i can use the rangemap command but in apps like OSSEC some general results are highlighted in a red border without using rangemap in the search string?
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you're looking for is Event Renderers.
You might wish to take a look at this previous thread:
http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...
In its simplest form, the three steps are:
- Create eventtypes in eventtypes.conf for each set of events to be colorized.
- Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
- Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)
For example (adapted from the OSSEC app):
eventtypes.conf:
[ossec_high_severity]
search = eventtype=ossec (severity>8)
event_renderers.conf:
[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity
appserver/static/application.css:
/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
border: solid red 1px;
}
If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).
Here's another good CSS-only example, from a recent blog post:
http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably you are seeing the High-Low Overlay, which can be selected manually in any search results, or configured in Advanced XML with the "DataOverlay" module. I don't think there is an option to force-set it in Simple XML. There is also a Heatmap Overlay. Unfortunately, there really isn't a way to create any other overlays or significantly change these, but you might be able to use custom event renderers to do what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you're looking for is Event Renderers.
You might wish to take a look at this previous thread:
http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...
In its simplest form, the three steps are:
- Create eventtypes in eventtypes.conf for each set of events to be colorized.
- Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
- Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)
For example (adapted from the OSSEC app):
eventtypes.conf:
[ossec_high_severity]
search = eventtype=ossec (severity>8)
event_renderers.conf:
[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity
appserver/static/application.css:
/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
border: solid red 1px;
}
If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).
Here's another good CSS-only example, from a recent blog post:
http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ugh.. Nothing simply like | where XXX>1000 turn red
???
