Dashboards & Visualizations

How can I integrate this IF statement into the panel?

shane1234
Explorer

Hello,

Below is the source for a panel on one of my dashboards. It outputs a single number that shows how many of our systems are active. Ideally this number will always be 50. We want to highlight when it is NOT 50.

Here is the summary of the condition I want to add to the code below, but don't know how. I am asking if someone can please help me integrate this IF statement into the panel below. Seeing this one example will help me add these to other Splunk panels and really improve my teams effectiveness with this tool.

IF number of systems is 50, hide value (making font color white would work if hiding value isn't possible).
ELSE (make font color red and size 100)

Actual code being used to add the above statement to:

<title># of Running Systems</title>
<search>
  <query>sourcetype=prod source=*peek.log config_section_stats | stats latest(_time) as latest_log_time, latest(model_time) as latest_model_time by case, source, hostname | convert ctime(latest_log_time) | stats dc(case) as NUM_LINES</query>
  <earliest>-15m</earliest>
  <latest>now</latest>
</search>

Thank you very much for any help you can provide.

0 Karma
1 Solution

to4kawa
Ultra Champion
<form refresh="10">
  <label>single visualization test</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults 
| eval  NUM_LINES=50 + (random() % 2) * -1</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xdc4e41","0xffffff"]</option>
        <option name="rangeValues">[49]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">0</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</form>

I do not know the size of the font, so please ask another person.

View solution in original post

to4kawa
Ultra Champion
<form refresh="10">
  <label>single visualization test</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults 
| eval  NUM_LINES=50 + (random() % 2) * -1</query>
          <earliest>$earliest$</earliest>
          <latest>$latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0xdc4e41","0xffffff"]</option>
        <option name="rangeValues">[49]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">0</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</form>

I do not know the size of the font, so please ask another person.

shane1234
Explorer

Probably a dumb question, but when I use this I get the following error:

Error in 'stats' command: The argument 'NUM_LINES=50' is invalid.

Any idea?

0 Karma

shane1234
Explorer

Just figured it out using a combination of yours and jarizeloyola's comments. Thank you.

0 Karma

shane1234
Explorer

FYI, I used the format visualization option which populated the proper code into the panel, then since the format menu only allowed ranges, I used your code to modify it to a single value. Here's the result:

  <row>
    <panel>
      <single>
        <title># of Systems</title>
        <search>
          <query>sourcetype=prod source=*peek.log config_section_stats | stats latest(_time) as latest_log_time, latest(model_time) as latest_model_time by case, source, hostname | convert ctime(latest_log_time) | stats dc(case) as NUM_LINES</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="rangeColors">["0xffffff","0xdc4e41"]</option>
        <option name="rangeValues">[44]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
0 Karma

jarizeloyola
Path Finder

If you are using single value on the dashboard you can follow this to add rangemap to the values https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/SingleValueFormatting
or
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Rangemap

carlasteenkamp
Explorer

`

sourcetype=prod source=*peek.log config_section_stats | stats latest(_time) as latest_log_time, latest(model_time) as latest_model_time by case, source, hostname | convert ctime(latest_log_time) | stats dc(case) as NUM_LINES
-15m
now

none
none
0
["0x006d9c","0x006d9c","0xffffff","0xffffff","0xffffff"]
[0,50,70,100]
progressbar
1

`

The range colors and the range values does that, this one will keep 0 - 50 blue and above that white. this should work, but if it doesn't let me know please

shane1234
Explorer

Thank you for this.

However, I am looking at just having a single value appear differently (white or hidden). In this case, "50". Everything else (above or below) should appear red.

Also, I attempted to use this as a starting point to figure it out myself and received the following error:

Error in 'stats' command: The argument '-15m' is invalid.

Clearly I am not a programmer and am new to Splunk. I did add the missing "/query" close which resolved the error while working in source, but the above is what displays on the dashboard.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...