Solved: How do I use the SingleValue module to color code ...

tpaulsen · ‎11-03-2009

In discussions, Johnvey has suggested to use the SingleValue module to display the output of the results.

In fact, with the rangemap search keyword, we are simply getting the output in the form of text and there is still no way for us to interpret it and display it in another format (like an image).

Please see the code snippet below:

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1"
 group="FuturesDemo Messages per minute" autoRun="True">
      <param name="search">index="os" foo
FuturesDemo earliest="-1m" |stats count|rangemap field=count red=0-0
default=green</param>
      <param name="earliest">-1m</param>
      <module name="ResultsHeader">
         <param name="entityName">scanned</param>
         <param name="entityLabel">foo events</param>
             <module name="FlashChart">
               <param name="height">180px</param>
               <param name="width">80%</param>
             </module>
      </module>
  </module>
</view>

Johnvey · ‎11-04-2009

So to clarify your question:

The current configuration will display the text that you desire.

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
       <module name="SingleValue"> 
          <param name="labelPosition">before</param> 
          <param name="beforeLabel">foo(</param> 
          <param name="afterLabel">)</param> 
      </module>
   </module>
</view>

However, the background color never changes depending on the dynamic value.

If that is the case, the solution is to change your populating search:

index="os" foo earliest="-1m" |stats count 
| rangemap field=count red=0-0 default=green

to

index="os" foo earliest="-1m" |stats count 
| rangemap field=count low=0-0 elevated=1-1 default=severe

By default, the SingleValue module defines the following class -> color mappings:

None     -> grey (#999)
low      -> green (#72c72d)
guarded  -> blue (#4da6df)
elevated -> yellow (#e9da34)
high     -> orange (#e67918)
severe   -> red (#bb2121)

These values are defined in:

$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css

You can override them at either the application level by editing the file:

$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css

or at the view level by:

Creating a custom view CSS file in the same directory as above

Linking a view to that custom view CSS by adding it to the view XML node, i.e.,

<view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">

Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.

View solution in original post

Johnvey · ‎11-04-2009

So to clarify your question:

The current configuration will display the text that you desire.

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
       <module name="SingleValue"> 
          <param name="labelPosition">before</param> 
          <param name="beforeLabel">foo(</param> 
          <param name="afterLabel">)</param> 
      </module>
   </module>
</view>

However, the background color never changes depending on the dynamic value.

If that is the case, the solution is to change your populating search:

index="os" foo earliest="-1m" |stats count 
| rangemap field=count red=0-0 default=green

to

index="os" foo earliest="-1m" |stats count 
| rangemap field=count low=0-0 elevated=1-1 default=severe

By default, the SingleValue module defines the following class -> color mappings:

None     -> grey (#999)
low      -> green (#72c72d)
guarded  -> blue (#4da6df)
elevated -> yellow (#e9da34)
high     -> orange (#e67918)
severe   -> red (#bb2121)

These values are defined in:

$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css

You can override them at either the application level by editing the file:

$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css

or at the view level by:

Creating a custom view CSS file in the same directory as above

Linking a view to that custom view CSS by adding it to the view XML node, i.e.,

<view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">

Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.

Johnvey · ‎11-03-2009

To Rakesh: it's a little unclear what your desired output is. The search you specify will output a table with 2 values: a 'count' and then an enumeration. Are you trying to display 2 different images, or just a colored box? Do you want to see the actual count?

How do I use the SingleValue module to color code search results?

chart

single value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation