It does indeed do this out of the box. Take a look at the rangemap command. With it you can define buckets to colorize your events by. You can then use a SingleValue module to display the color. Note the classField parameter; if you are using rangemap to colorize the SingleValue box, set classField to "range" as such:
The pre-defined css classes for SingleValue are none, low, elevated, and severe. So if you want to use the out of the box css use rangemap like in the following example:
evettype=failed_login | stats count | rangemap field=count low=1-5 elevated=5-10 severe=10-9999999 default=None
You specify it as an option to the SingleValue module in your advanced dashboard XML. Check out the following doc topic for an intro to advanced XML: http://www.splunk.com/base/Documentation/latest/Developer/AdvancedIntro
I would imagine so, all it is is a case of setting a range value, at which the CSS picks it up and transforms it into the traffic light.
Try it and see what comes of it, and let us know! 🙂
No its not working with real time search.
Let say for a low value I have green color on the dashboard, but it should have been yellow once the returned result breaches the threshold. BUt its reflecting the changes only after refreshing the dashboard.