Configure colour coded results by default

Path Finder

Hi all

How do you configure colour coding in general search results. I know i can use the rangemap command but in apps like OSSEC some general results are highlighted in a red border without using rangemap in the search string?



Re: Configure colour coded results by default


What you're looking for is Event Renderers.

You might wish to take a look at this previous thread:

In its simplest form, the three steps are:

  • Create eventtypes in eventtypes.conf for each set of events to be colorized.
  • Create matching entries in event_renderers.conf for each of the eventtypes that you created. This maps each eventtype to a CSS class.
  • Create your CSS classes in appserver/static/application.css for each of your new CSS classes. (You can also use a per-view CSS file by defining "stylesheet=xxx.css" in the XML for that view)

For example (adapted from the OSSEC app):


search = eventtype=ossec (severity>8)


eventtype = ossec_high_severity
css_class = OssecHighSeverity


/* Red-line border for high-severity events */
.splEvent-OssecHighSeverity table {
    border: solid red 1px;

If you want to do more than basic formatting, then you can also customize the HTML template and/or JavaScript code for those events (link).

Here's another good CSS-only example, from a recent blog post:

Re: Configure colour coded results by default


Ugh.. Nothing simply like | where XXX>1000 turn red



Re: Configure colour coded results by default

Splunk Employee
Splunk Employee

Probably you are seeing the High-Low Overlay, which can be selected manually in any search results, or configured in Advanced XML with the "DataOverlay" module. I don't think there is an option to force-set it in Simple XML. There is also a Heatmap Overlay. Unfortunately, there really isn't a way to create any other overlays or significantly change these, but you might be able to use custom event renderers to do what you need.

