Dashboards & Visualizations

How can I get colors into trellis for values that are non numeric?

Motivator

How can I get colors into trellis for value names?

I have data Like the following, non-numeric. The columns can increase (X, Y etc..) but the value can only be ALIVE or DEAD.

I want:

ALIVE = GREEN
DEAD = RED

ACTIVITY,   CREDIT_OFFICER, X, Y    
ALIVE,  DEAD, ALIVE, DEAD   

I can do it for numbers easy but cant do it for values?

Thanks in advance
Rob

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@robertlynch2020, based on the sample data provided in the question, please try the following run anywhere example which use Status Indicator Custom Visualization with Trellis Layout to show Icon and Color based on String Value of specific field.

alt text

<dashboard>
  <label>Trellis with Color By String Value</label>
  <row>
    <panel>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| eval data="ACTIVITY=ALIVE,CREDIT_OFFICER=DEAD,X=ALIVE,Y=DEAD"
| makemv data delim=","
| mvexpand data
| rename data as _raw
| KV
| fields - _*
| stats values(*) as *
| transpose column_name="field"
| rename "row 1" as value
| stats last(value) as value by field
| foreach * [eval icon=if('<<FIELD>>'=="ALIVE","check-circle","times-circle"), color=if('<<FIELD>>'=="ALIVE","green","red")]
| stats last(value) as value last(icon) as icon last(color) as color by field</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
      </viz>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@robertlynch2020, based on the sample data provided in the question, please try the following run anywhere example which use Status Indicator Custom Visualization with Trellis Layout to show Icon and Color based on String Value of specific field.

alt text

<dashboard>
  <label>Trellis with Color By String Value</label>
  <row>
    <panel>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| eval data="ACTIVITY=ALIVE,CREDIT_OFFICER=DEAD,X=ALIVE,Y=DEAD"
| makemv data delim=","
| mvexpand data
| rename data as _raw
| KV
| fields - _*
| stats values(*) as *
| transpose column_name="field"
| rename "row 1" as value
| stats last(value) as value by field
| foreach * [eval icon=if('<<FIELD>>'=="ALIVE","check-circle","times-circle"), color=if('<<FIELD>>'=="ALIVE","green","red")]
| stats last(value) as value last(icon) as icon last(color) as color by field</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#555</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
      </viz>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Motivator

Brill - 100% brill and thanks 🙂

SplunkTrust
SplunkTrust

Happy to help 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

One last thing if possible.

Do you know how to make them smaller. I posted a question but have gotten no hits yet. Cheers
Robert

0 Karma

SplunkTrust
SplunkTrust

PS: In the search query the commands till | stats last(value) as value by field generate dummy data as per the question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Hi @robertlynch2020,

Try this run anywhere example ,

<dashboard>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_* (sourcetype=splunkd OR sourcetype=kvstore)|stats count as c by sourcetype,component|fields - c
|eval range=if(sourcetype="splunkd","severe","low")</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trellis.splitBy">component</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</dashboard>

In short use a range variable to decide the color (severity). You need to change the base search index=_* (sourcetype=splunkd OR sourcetype=kvstore)|stats count as c by sourcetype,component to display your final set of fields and then change <option name="trellis.splitBy">component</option> to your field value

0 Karma

Motivator

Thanks for this as well - i used this also 🙂

0 Karma