Dashboards & Visualizations

Help using scale colors depending on the value result

jip31
Motivator

Hello,
Is it possible in the XML below to use scale colors?
If perc result is :

  • <5% I want to color the value in green
  • between 5 and 25% I want to color the value in orange
  • >25% I want to color the value in red

Many thanks

<row id="first">
    <panel>
      <title>Crashes - Volume percentage (%)</title>
      <single id="test">
        <title>Source : Windows Event Viewer (ID 6008) - Slot time : last 30 days</title>
        <search>
          <query>[| inputlookup host.csv 
    | table host] `BSOD` 
| dedup host 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| search SITE=$tok_filtersite|s$ 
| stats dc(host) as NbEventCodeHost 
| appendcols 
    [| inputlookup host.csv 
    | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
    | search SITE=$tok_filtersite|s$ 
    | stats dc(host) as NbIndHost 
        ] 
| eval Perc=round((NbEventCodeHost/NbIndHost)*100,2). " %" + " / " + NbIndHost + " machines " 
| table Perc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="rangeColors">["0x65a637","0xd93f3c","0xd93f3c"]</option>
        <option name="rangeValues">[0,1]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@jip31,

It's possible but the value has to be numeric.

Try this

<row id="first">
     <panel>
       <title>Crashes - Volume percentage (%)</title>
       <single id="test">
         <title>Source : Windows Event Viewer (ID 6008) - Slot time : last 30 days</title>
         <search>
           <query>[| inputlookup host.csv 
     | table host] `BSOD` 
 | dedup host 
 | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
 | search SITE=$tok_filtersite|s$ 
 | stats dc(host) as NbEventCodeHost 
 | appendcols 
     [| inputlookup host.csv 
     | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
     | search SITE=$tok_filtersite|s$ 
     | stats dc(host) as NbIndHost 
         ] 
 | eval Perc=round((NbEventCodeHost/NbIndHost)*100,2)
 | table Perc,NbIndHost</query>
           <earliest>-30d@d</earliest>
           <latest>now</latest>
           <done>
                     <set token="NbInd_Token">$result.NbIndHost$</set>
           </done>
         </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x65a637","0xf1813f","0xd93f3c"]</option>
        <option name="rangeValues">[5,25]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="underLabel">/ $NbInd_Token$ machines</option>
       </single>
     </panel>
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jip31,

It's possible but the value has to be numeric.

Try this

<row id="first">
     <panel>
       <title>Crashes - Volume percentage (%)</title>
       <single id="test">
         <title>Source : Windows Event Viewer (ID 6008) - Slot time : last 30 days</title>
         <search>
           <query>[| inputlookup host.csv 
     | table host] `BSOD` 
 | dedup host 
 | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
 | search SITE=$tok_filtersite|s$ 
 | stats dc(host) as NbEventCodeHost 
 | appendcols 
     [| inputlookup host.csv 
     | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
     | search SITE=$tok_filtersite|s$ 
     | stats dc(host) as NbIndHost 
         ] 
 | eval Perc=round((NbEventCodeHost/NbIndHost)*100,2)
 | table Perc,NbIndHost</query>
           <earliest>-30d@d</earliest>
           <latest>now</latest>
           <done>
                     <set token="NbInd_Token">$result.NbIndHost$</set>
           </done>
         </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x65a637","0xf1813f","0xd93f3c"]</option>
        <option name="rangeValues">[5,25]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="underLabel">/ $NbInd_Token$ machines</option>
       </single>
     </panel>
Happy Splunking!
0 Karma

jip31
Motivator

thanks renjith
last question
why you have deleted : + " / " + NbIndHost + " machines "?
I need to keep this piece of code and to color it in blue
is it possible??

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

As mentioned above, single value customization works on numeric values. So if you add the strings to that, then the formatting can not be done.
One option is to use under label option and set the value there. I have updated the answer with that option.
If that's not what you are looking for, then you might need to use either the Status Indicator App or css/js solutions

Happy Splunking!
0 Karma

jip31
Motivator

thanks renjith

0 Karma

jip31
Motivator

hi
i just have an issue with

/ $NbIndHost$ machines
the token doesnt works (see screenshot)
https://www.cjoint.com/c/IGdhqOOpLLd

have you an idea??

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jip31,

As mentioned in the above XML, have you added this part in search tag?

   <latest>now</latest>
            <done>
                      <set token="NbIndHost">$result.NbIndHost$</set>
            </done>
          </search>
Happy Splunking!
0 Karma

jip31
Motivator

Yes
you can see my xml

TEST

TEST

[| inputlookup host.csv
| table host] index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:System" EventCode=* (Level=1 OR Level=2 OR Level=3)
| dedup host
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| stats dc(host) as NbEventCodeHost
| appendcols
[| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| stats dc(host) as NbIndHost
]
| eval Perc=round((NbEventCodeHost/NbIndHost)*100,2)
| table Perc

-30d@d
now
$result.NbIndHost$


block
["0x65a637","0xf1813f","0xd93f3c"]
[5,25]
progressbar
absolute
%
1
/ $NbIndHost$ machines

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Not able to see the xml. can you put them in code to avoid the xml truncate?

Happy Splunking!
0 Karma

jip31
Motivator

HERE IS THE CODE

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

"You dont need to use Capital letters , "just saying"

in your search , you missed to add NbIndHost with the table command which is in the actual XML I pasted

i.e.

    | table Perc,NbIndHost
Happy Splunking!
0 Karma

jip31
Motivator

oh sorry its exact
I didnt see that you added this in table
thanks

0 Karma

jip31
Motivator

But I found a second issue

$result.NbIndHost$ is linked to a dropdown list like you can see in `| search SITE=$tok_filtersite|s$ `

but when I am doing a choice in | search SITE=$tok_filtersite|s$ the result in $result.NbIndHost$ doesnt change
Have you an idea please??

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Updated the answer to change the token name just to avoid confusions

token name has been changed from NbIndHost to NbInd_Token

Regarding your question, when you change the token , does the value under the field NbIndHost change? You can view that by opening the search

Happy Splunking!
0 Karma

jip31
Motivator

like this is correct!

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

is it working for you or do you have still issues?

Happy Splunking!
0 Karma

jip31
Motivator

its ok thanks!

0 Karma

jip31
Motivator
<panel>
      <title>TEST</title>
      <single>
        <title>TEST</title>
        <search>
          <query>[| inputlookup host.csv 
    | table host] index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:System" EventCode=* (Level=1 OR Level=2 OR Level=3) 
| dedup host 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| search SITE=$tok_filtersite|s$ 
| stats dc(host) as NbEventCodeHost 
| appendcols 
    [| inputlookup host.csv 
    | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
    | search SITE=$tok_filtersite|s$ 
    | stats dc(host) as NbIndHost 
        ] 
| eval Perc=round((NbEventCodeHost/NbIndHost)*100,2)
| table Perc</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest><done>
                       <set token="NbIndHost">$result.NbIndHost$</set>
             </done>
        </search>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x65a637","0xf1813f","0xd93f3c"]</option>
        <option name="rangeValues">[5,25]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unit">%</option>
        <option name="useColors">1</option>
        <option name="underLabel">/ $NbIndHost$ machines</option>
      </single>
    </panel>
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...