Dashboards & Visualizations

Configure colour coded results by default

quixand
Path Finder

Hi all

How do you configure colour coding in general search results. I know i can use the rangemap command but in apps like OSSEC some general results are highlighted in a red border without using rangemap in the search string?

cheers

1 Solution

southeringtonp
Motivator

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
      http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

  • Create eventtypes in eventtypes.conf for each set of events to be colorized.
  • Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
  • Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
     http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Probably you are seeing the High-Low Overlay, which can be selected manually in any search results, or configured in Advanced XML with the "DataOverlay" module. I don't think there is an option to force-set it in Simple XML. There is also a Heatmap Overlay. Unfortunately, there really isn't a way to create any other overlays or significantly change these, but you might be able to use custom event renderers to do what you need.

0 Karma

southeringtonp
Motivator

What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:
      http://answers.splunk.com/questions/7378/modifying-css-to-colorize-table-rows-in-dashboard-panel-wit...

In its simplest form, the three steps are:

  • Create eventtypes in eventtypes.conf for each set of events to be colorized.
  • Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
  • Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):

eventtypes.conf:

[ossec_high_severity]
search = eventtype=ossec (severity>8)

event_renderers.conf:

[er_ossec_high_severity]
eventtype = ossec_high_severity
css_class = OssecHighSeverity

appserver/static/application.css:

/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;
}

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:
     http://blogs.splunk.com/2010/10/26/colorize-your-world-or-at-least-your-splunk-results/

albyva
Communicator

Ugh.. Nothing simply like | where XXX>1000 turn red

???

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...