Dashboards & Visualizations

Configure colour coded results by default

quixand
Path Finder

Hi all

How do you configure colour coding in general search results. I know i can use the rangemap command but in apps like OSSEC some general results are highlighted in a red border without using rangemap in the search string?

cheers

1 Solution

southeringtonp
Motivator

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
      http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

  • Create eventtypes in eventtypes.conf for each set of events to be colorized.
  • Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
  • Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
     http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Probably you are seeing the High-Low Overlay, which can be selected manually in any search results, or configured in Advanced XML with the "DataOverlay" module. I don't think there is an option to force-set it in Simple XML. There is also a Heatmap Overlay. Unfortunately, there really isn't a way to create any other overlays or significantly change these, but you might be able to use custom event renderers to do what you need.

0 Karma

southeringtonp
Motivator

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
      http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

  • Create eventtypes in eventtypes.conf for each set of events to be colorized.
  • Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
  • Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
     http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

albyva
Communicator

Ugh.. Nothing simply like | where XXX>1000 turn red

???

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...