Dashboards & Visualizations

Format table columns for the values starting with minus(-).

biec1
Explorer

Q1. I would like to format table columns for the values starting with minus(-).
Q2. Use Time range picker token for enddaysago in query.
enddaysago=$token.earliest$ or enddaysago=$token.latest$ is not working.

Tags (1)
0 Karma

gcusello
Legend

Hi biec1,
about colors for negative values, you can assign colors to negative values using colors in table (see https://docs.splunk.com/Documentation/Splunk/6.5.3/Viz/TableFormatsFormatting)
About use a time token as variable, I don't understand you need, if oldest_tkn is the name of yopu time picker and $oldest_tkn.earliest$ and $oldest_tkn.latest$ are the earliest and latest value in you search, you can insert them in you search

<earliest>$oldest_tkn.earliest$</earliest>
<latest>$oldest_tkn.latest$</latest>

if you want to use two different time pickers and oldest_tkn is the second one, I wasn't able to do this so I used a different approach:
I created an index containing only dates (every night there is a scheduled job that add a new date) and I passed this date to the search using the usual way: enddaysago=$oldest_tkn.earliest$ or enddaysago=$oldest_tkn.latest$

Bye.
Giuseppe

0 Karma

biec1
Explorer

Splunk does not show any affect when i assign negative values with wild card(-*).
Color changes only if i enter the complete negative value(-18.25). I want it to be working for all the negative values.

The following is the requirement for second query:-
For the earliest, i am able to provide time by first time picker.
For enddaysago, i couldn't use the second time picker. Its give some error.
I don't have the option of creating an addiotnal index.

index=index_name host=host_name earliest=-10m
| eval fs=fs_name
| stats  first(eval(round(d_free/1024/1024,2))) as free first(eval(round(d_total/1024/1024,2))) as total by fs
| eval used=total-free 
| join fs[index=index_name host=host_name enddaysago=30
| eval fs=fs_name
| stats  first(eval(round(d_free/1024/1024,2))) as free first(eval(round(d_total/1024/1024,2))) as total by fs
| eval used_old=total-free]
| eval growth=used-used_old
0 Karma

gcusello
Legend

about colors:
what do you mean with "assign negative values with wild card", you can assign colors to negative numbers in output columns.
about enddaysago, you should use another way to pass token to the search (e.g. a dropdown list or a text box) but not time picker.
Bye.
Giuseppe

0 Karma

gcusello
Legend

HI biec1,
could you share more information:

  • how do you want to format columns with minus? are you speaking about negative numbers?
  • what is enddaysago: a value in eval or in a search? are you speaking of a search of a dashboard?

Bye.
Giuseppe

0 Karma

biec1
Explorer

Hi Giuseppe,
Thank you.

  • how do you want to format columns with minus? are you speaking about negative numbers? I want to assign some color to negative values.
  • 'what is enddaysago: a value in eval or in a search? are you speaking of a search of a dashboard?' In the dashboard i have a time range picker with token name oldest_tkn. I want to use it in dashboard search query as enddaysago=$oldest_tkn.earliest$ or enddaysago=$oldest_tkn.latest$
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...