Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I use the SingleValue module to color code ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In discussions, Johnvey has suggested to use the SingleValue module to display the output of the results.
In fact, with the rangemap search keyword, we are simply getting the output in the form of text and there is still no way for us to interpret it and display it in another format (like an image).
Please see the code snippet below:
<view refresh="60" template="dashboard.html">
<module name="HiddenSearch" layoutPanel="panel_row1_col1"
group="FuturesDemo Messages per minute" autoRun="True">
<param name="search">index="os" foo
FuturesDemo earliest="-1m" |stats count|rangemap field=count red=0-0
default=green</param>
<param name="earliest">-1m</param>
<module name="ResultsHeader">
<param name="entityName">scanned</param>
<param name="entityLabel">foo events</param>
<module name="FlashChart">
<param name="height">180px</param>
<param name="width">80%</param>
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So to clarify your question:
The current configuration will display the text that you desire.
<view refresh="60" template="dashboard.html">
<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
<module name="SingleValue">
<param name="labelPosition">before</param>
<param name="beforeLabel">foo(</param>
<param name="afterLabel">)</param>
</module>
</module>
</view>
However, the background color never changes depending on the dynamic value.
If that is the case, the solution is to change your populating search:
index="os" foo earliest="-1m" |stats count
| rangemap field=count red=0-0 default=green
to
index="os" foo earliest="-1m" |stats count
| rangemap field=count low=0-0 elevated=1-1 default=severe
By default, the SingleValue module defines the following class -> color mappings:
None -> grey (#999)
low -> green (#72c72d)
guarded -> blue (#4da6df)
elevated -> yellow (#e9da34)
high -> orange (#e67918)
severe -> red (#bb2121)
These values are defined in:
$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css
You can override them at either the application level by editing the file:
$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css
or at the view level by:
- Creating a custom view CSS file in the same directory as above
Linking a view to that custom view CSS by adding it to the view XML node, i.e.,
<view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">
Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So to clarify your question:
The current configuration will display the text that you desire.
<view refresh="60" template="dashboard.html">
<module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
<param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
<module name="SingleValue">
<param name="labelPosition">before</param>
<param name="beforeLabel">foo(</param>
<param name="afterLabel">)</param>
</module>
</module>
</view>
However, the background color never changes depending on the dynamic value.
If that is the case, the solution is to change your populating search:
index="os" foo earliest="-1m" |stats count
| rangemap field=count red=0-0 default=green
to
index="os" foo earliest="-1m" |stats count
| rangemap field=count low=0-0 elevated=1-1 default=severe
By default, the SingleValue module defines the following class -> color mappings:
None -> grey (#999)
low -> green (#72c72d)
guarded -> blue (#4da6df)
elevated -> yellow (#e9da34)
high -> orange (#e67918)
severe -> red (#bb2121)
These values are defined in:
$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css
You can override them at either the application level by editing the file:
$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css
or at the view level by:
- Creating a custom view CSS file in the same directory as above
Linking a view to that custom view CSS by adding it to the view XML node, i.e.,
<view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">
Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To Rakesh: it's a little unclear what your desired output is. The search you specify will output a table with 2 values: a 'count' and then an enumeration. Are you trying to display 2 different images, or just a colored box? Do you want to see the actual count?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
