Dashboards & Visualizations

How can I change the color based on another variable?

albinortiz
Engager

Greetings,

The following query brings the total amount of hosts in AD, the amount of hosts that seem to be currently active, and what percent of the total hosts in AD are currently active. What I want to do is change the color of the result depending on the percentage calculated.

For example, I am displaying the Total in a single value pane. If the Percentage is more than 94%, make it GREEN, otherwise make it RED.

This is what I got so far:

index=winevents
| dedup host
| stats count as Total
| appendcols [ | ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*") | stats count as WindowsComputers ]
| eval Percentage = round((Total/WindowsComputers)*100)
| eval Percentage = if(Percentage > 94, "low", "severe")
| table Total

XML:

option name="field">Percentage

Thanks in advance!

Tags (1)
0 Karma

Javip
Path Finder

Hi,

I did something similar using Status Indicator - Custom Viz
https://splunkbase.splunk.com/app/3119/

I used this custom params for my panel:

<option name="height">70</option>
<option name="link.visible">0</option>
<option name="status_indicator_app.status_indicator.colorBy">field_value</option>
<option name="status_indicator_app.status_indicator.fillTarget">background</option>
<option name="status_indicator_app.status_indicator.fixIcon">warning</option>
<option name="status_indicator_app.status_indicator.icon">field_value</option>
<option name="status_indicator_app.status_indicator.precision">0</option>
<option name="status_indicator_app.status_indicator.showOption">1</option>
<option name="status_indicator_app.status_indicator.staticColor">#555</option>
<option name="status_indicator_app.status_indicator.useColors">true</option>
<option name="status_indicator_app.status_indicator.useThousandSeparator">false</option>

I used a query like this:
(...)
| eval value = ....
| eval color_value=case(m="1", "#32cd32", m="2", "#FFD700", m="3", "#540650", 1=1, "#ff0000")
| eval icon_value=case(m="1", "check-circle", m="2", "exclamation-triangle", m="3", "exclamation-circle", 1=1, "times-circle")
| table value icon_value color_value

I hope this can help you!

Javier

0 Karma

albinortiz
Engager

Javi,

Unfortunately I don't have that app on my system and I am not able to install until further notice. I will try it as soon as I can and will let you know.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...