Hello,
Below is the source for a panel on one of my dashboards. It outputs a single number that shows how many of our systems are active. Ideally this number will always be 50. We want to highlight when it is NOT 50.
Here is the summary of the condition I want to add to the code below, but don't know how. I am asking if someone can please help me integrate this IF statement into the panel below. Seeing this one example will help me add these to other Splunk panels and really improve my teams effectiveness with this tool.
IF number of systems is 50, hide value (making font color white would work if hiding value isn't possible).
ELSE (make font color red and size 100)
Actual code being used to add the above statement to:
<title># of Running Systems</title>
<search>
<query>sourcetype=prod source=*peek.log config_section_stats | stats latest(_time) as latest_log_time, latest(model_time) as latest_model_time by case, source, hostname | convert ctime(latest_log_time) | stats dc(case) as NUM_LINES</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
Thank you very much for any help you can provide.
<form refresh="10">
<label>single visualization test</label>
<row>
<panel>
<single>
<search>
<query>| makeresults
| eval NUM_LINES=50 + (random() % 2) * -1</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0xdc4e41","0xffffff"]</option>
<option name="rangeValues">[49]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">0</option>
<option name="showTrendIndicator">0</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
</form>
I do not know the size of the font, so please ask another person.
<form refresh="10">
<label>single visualization test</label>
<row>
<panel>
<single>
<search>
<query>| makeresults
| eval NUM_LINES=50 + (random() % 2) * -1</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0xdc4e41","0xffffff"]</option>
<option name="rangeValues">[49]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">0</option>
<option name="showTrendIndicator">0</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
</form>
I do not know the size of the font, so please ask another person.
Probably a dumb question, but when I use this I get the following error:
Error in 'stats' command: The argument 'NUM_LINES=50' is invalid.
Any idea?
Just figured it out using a combination of yours and jarizeloyola's comments. Thank you.
FYI, I used the format visualization option which populated the proper code into the panel, then since the format menu only allowed ranges, I used your code to modify it to a single value. Here's the result:
<row>
<panel>
<single>
<title># of Systems</title>
<search>
<query>sourcetype=prod source=*peek.log config_section_stats | stats latest(_time) as latest_log_time, latest(model_time) as latest_model_time by case, source, hostname | convert ctime(latest_log_time) | stats dc(case) as NUM_LINES</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="rangeColors">["0xffffff","0xdc4e41"]</option>
<option name="rangeValues">[44]</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
If you are using single value on the dashboard you can follow this to add rangemap to the values https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/SingleValueFormatting
or
https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Rangemap
`
sourcetype=prod source=*peek.log config_section_stats | stats latest(_time) as latest_log_time, latest(model_time) as latest_model_time by case, source, hostname | convert ctime(latest_log_time) | stats dc(case) as NUM_LINES
-15m
now
none
none
0
["0x006d9c","0x006d9c","0xffffff","0xffffff","0xffffff"]
[0,50,70,100]
progressbar
1
`
The range colors and the range values does that, this one will keep 0 - 50 blue and above that white. this should work, but if it doesn't let me know please
Thank you for this.
However, I am looking at just having a single value appear differently (white or hidden). In this case, "50". Everything else (above or below) should appear red.
Also, I attempted to use this as a starting point to figure it out myself and received the following error:
Error in 'stats' command: The argument '-15m' is invalid.
Clearly I am not a programmer and am new to Splunk. I did add the missing "/query" close which resolved the error while working in source, but the above is what displays on the dashboard.