Dashboards & Visualizations

How do I display colored text in a single value dashboard panel?

pshangguan
New Member

I am very new to Splunk and XML, and I am trying to display the status of my Jenkin's jobs.

Here is my query:

index=jenkins |spath job_name | search job_name="job/utl-dataflow-check-DEV2/" | sort -_time | stats latest(job_result) as status, latest(_time) as dev2t | eval Dev2Time=strftime(dev2t, "%Y-%m-%d: %H:%M:%S") | fields status Dev2Time | head 1

This displays the status of the query in Black now.

The "status" is either SUCCESS, FAILURE, or some other value if the job did not run within the time range. I want to display the environment name(in this case DEV2 as the job name indicated) instead of the status in RED if the status is FAILURE, display it in GREEN if the status is SUCCESS, and display in GREY is the status is something else.

I could not find useful info yet. Thanks.

0 Karma
1 Solution

adonio
Ultra Champion

adding screenshot here as seems like i cant add screenshot while editing:
alt text

View solution in original post

adonio
Ultra Champion

adding screenshot here as seems like i cant add screenshot while editing:
alt text

pshangguan
New Member

Thanks for the code. I tested it and worked for the green.

  <single>
    <title>$dev2title$</title>
    <search>
      <query>index=jenkins |spath job_name | search job_name="job/utl-dataflow-check-DEV2/" | sort -_time | stats latest(job_result) as dev2s, latest(_time) as dev2t | eval Dev2Time=strftime(dev2t, "%Y-%m-%d: %H:%M:%S") | eval dev2value=if(dev2s==SUCCESS,"good","bad") | fields dev2s Dev2Time | head 1 | eval range=if(dev2value=="bad", "severe", "low")</query>
      <done>
        <set token="dev2title">$result.Dev2Time$</set>
      </done>
      <earliest>-4h@h</earliest>
      <latest>now</latest>
      <refresh>2m</refresh>
      <refreshType>delay</refreshType>
    </search>
    <option name="drilldown">none</option>
    <option name="colorBy">value</option>
    <option name="colorMode">none</option>
    <option name="drilldown">none</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
    <option name="rangeValues">[0,30,70,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="unitPosition">after</option>
    <option name="useColors">0</option>
    <option name="useThousandSeparators">1</option>
  </single>

Somehow, I always get text displayed in green. I tested the query, when dev2value is "FAILURE", "severe" was picked up, but the display is still green which is "low".

0 Karma

adonio
Ultra Champion

hmmm, interesting, try to run the search, modify visualizations to "single value" and save as dashboard panel, do not edit visualization parameters from gui

0 Karma

pshangguan
New Member

Sure. I changed the visualization to:

fields dev2s | eval range=if(dev2value=="bad", "severe", "low")

Just the status which is FAILURE for this environment, it still picks up "low".

0 Karma

pshangguan
New Member

I also tried to flip the logic and get red display all the time, including SUCCESS.

0 Karma

pshangguan
New Member

What I did is to check the dev2s directly, like this:

eval range=if(dev2s=="FAILURE", "severe", "low")

This time, it picked up the right color. Thanks for your help!

0 Karma

pshangguan
New Member

it seems eval range=if(dev2value=="bad", "severe", "low") always picks up the last value...

0 Karma

adonio
Ultra Champion

see here:
https://answers.splunk.com/answers/525809/change-single-value-color-based-on-textual-value.html

here is an xml example, run couple times as it randomly generates good or bad

<dashboard>
  <label>singe_value_text</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| gentimes start="08/01/2018:00:00:00" end="08/9/2018:10:00:00" increment=1h 
| eval _time = starttime 
| eval value = random()%2 
| eval next_value = if(value=1,"good","bad")
| stats last(next_value) as good_or_bad
| eval range=if(good_or_bad=="bad", "severe", "low")</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</dashboard>

hope it helps

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...