Dashboards & Visualizations

Highlight Each Row In Table Based On Conditions

tyhopping1
Engager

This is a continuation of:
(https://answers.splunk.com/answers/804476/compare-the-actual-start-time-to-the-expect-start.html)

I have created a dashboard that compares the Actual Start Time with the Expected Start Time of a given job. In this dashboard, I would like these highlight conditions to be in effect:

  • job ran on-time (Act. <= Exp.) = highlight green
  • job has not ran yet = highlight yellow
  • job ran late (Act. > Exp.) = highlight red

I would like each row (each job name) highlighted based on these conditions.

Here is the code for my current Dashboard:

<dashboard>
  <label>Name</label>
  <row>
    <panel>
      <title>Title</title>
      <table>
        <title>Title</title>
        <search>
          <query>msg.jobName = RLMMTP* | spath "msg.status.Code" | search "msg.status.Code"=*| spath "msg.recordType" | search "msg.Type"=* | spath "msg.message" | search "msg.message"="RECORD PROCESSED" 
| eval day = strftime(_time, "%d")          
 | stats earliest(timestamp) as startTime, latest(timestamp) as endTime count by msg.jobName
 | eval startTime=substr(startTime,1,13) 
 | eval ActualStart=strftime(startTime/1000, "%H:%M:%S")
 | lookup AverageStartTimes.csv msg.jobName as msg.jobName OUTPUT ExpectedStart
 | table msg.jobName</query>
          <earliest>-1d@d</earliest>
          <latest>@d</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="msg.jobName">
          <colorPalette type="expression">
            if ( ActualStart >= ExpectedStart, "#65A637")
            if ( ActualStart < ExpectedStart, "#8B0000")
          </colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>    

Upon trying with just simple XML in the Dashboard, it seems I cannot create a condition to highlight only one row at a time, only the whole column. Unfortunately using JS and CSS is currently unavailable for me. Any help is appreciated.

0 Karma

to4kawa
Ultra Champion
<query>msg.jobName="RLMMTP*" "\"message"\" "\"RECORD PROCESSED"\"
| spath msg.jobName
| eval day = strftime(_time, "%d") 
| stats earliest(timestamp) as startTime, latest(timestamp) as endTime count by "msg.jobName" 
| eval startTime=substr(startTime,1,13) 
| eval ActualStart=strftime(startTime/1000, "%H:%M:%S") 
| lookup AverageStartTimes.csv msg.jobName as msg.jobName OUTPUT ExpectedStart 
| stats values(AcutualStart) as ActualStart values(ExpectedStart) as ExpectedStart by "msg.jobName"</query>

maybe, it can be trellis visualization.

0 Karma

niketn
Legend

@tyhopping1, I dont think that would be possible without JS Extension. Community will be able to assist you with JS/CSS based solution if possible. Let us know! You can also refer to one of my older answers for highlighting row based on duration: https://answers.splunk.com/answers/581747/change-row-color-when-the-field-time-value-increas.html

If you just need to show Job Name with color based on Actual Start Time vs Expected Start Time you can also check out Status Indicator Custom visualization with some CSS Override it can output like the following:

alt text

Following is the Run anywhere example SimpleXML code (CSS Override done from within SImple XML):

<dashboard>
  <label>Status Indicator Trellis</label>
  <description>Color Job by delay in Actual Start vs Expected Start Status Indicator Trellis</description>
  <row>
    <panel>
      <html>
        <style>
          #my_status_indicator1 .facet-label{
            position: relative !important;
            top: 90px !important;
            font-size: xx-large !important;
            color: white !important;
          }
          #my_status_indicator1 div[id="status_indicator_app.status_indicator"].splunk-status-indicator{
            font-size: 0px !important;
          }
          #my_status_indicator1 div[id="status_indicator_app.status_indicator"].lazy-custom-visualization{
            height: 80% !important;
          }
        </style>
      </html>
      <viz id="my_status_indicator1" type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults count=20
| streamstats count as sno 
| eval msg.jobName="Job".sno 
| eval StartTime=random(),StartTime="-".substr(StartTime,1,1) 
| eval ExpectedStartTime=random(),ExpectedStartTime="-".substr(ExpectedStartTime,1,1) 
| eval ActualStart=relative_time(now(),StartTime),
    ExpectedStart=relative_time(now(),ExpectedStartTime) 
| eval diff=round(ActualStart-ExpectedStart,0) 
| table msg.jobName diff
| stats last(diff) as diff by msg.jobName
| eval color=if(diff>=0,"#53a051","#dc4e41")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">675</option>
        <option name="refresh.display">progressbar</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">3</option>
        <option name="status_indicator_app.status_indicator.staticColor">#dc4e41</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...