Dashboards & Visualizations

How do I use the singleValue module to color code search results?

Contributor

In disucssions, Johnvey has suggested to use the SingleValue module to display the output of the results.

In fact, with the rangemap search keyword, we are simply getting the output in the form of text and there is still no way for us to interpret it and display it in other format (like an image).

Please see the code snippet below

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1"
 group="FuturesDemo Messages per minute" autoRun="True">
      <param name="search">index="os" foo
FuturesDemo earliest="-1m" |stats count|rangemap field=count red=0-0
default=green</param>
      <param name="earliest">-1m</param>
      <module name="ResultsHeader">
         <param name="entityName">scanned</param>
         <param name="entityLabel">foo events</param>
             <module name="FlashChart">
               <param name="height">180px</param>
               <param name="width">80%</param>
             </module>
      </module>
  </module>
</view>
1 Solution

Contributor

So to clarify your question:

The current configuration will display the text that you desire.

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
       <module name="SingleValue"> 
          <param name="labelPosition">before</param> 
          <param name="beforeLabel">foo(</param> 
          <param name="afterLabel">)</param> 
      </module>
   </module>
</view>

However, the background color never changes depending on the dynamic value.

If that is the case, the solution is to change your populating search:

index="os" foo earliest="-1m" |stats count 
| rangemap field=count red=0-0 default=green

to

index="os" foo earliest="-1m" |stats count 
| rangemap field=count low=0-0 elevated=1-1 default=severe

By default, the SingleValue module defines the following class -> color mappings:

None     -> grey (#999)
low      -> green (#72c72d)
guarded  -> blue (#4da6df)
elevated -> yellow (#e9da34)
high     -> orange (#e67918)
severe   -> red (#bb2121)

These values are defined in:

$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css

You can override them at either the application level by editing the file:

$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css

or at the view level by:

  1. Creating a custom view CSS file in the same directory as above
  2. Linking a view to that custom view CSS by adding it to the view XML node, i.e.,

    <view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">
    

Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.

View solution in original post

Contributor

So to clarify your question:

The current configuration will display the text that you desire.

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
       <module name="SingleValue"> 
          <param name="labelPosition">before</param> 
          <param name="beforeLabel">foo(</param> 
          <param name="afterLabel">)</param> 
      </module>
   </module>
</view>

However, the background color never changes depending on the dynamic value.

If that is the case, the solution is to change your populating search:

index="os" foo earliest="-1m" |stats count 
| rangemap field=count red=0-0 default=green

to

index="os" foo earliest="-1m" |stats count 
| rangemap field=count low=0-0 elevated=1-1 default=severe

By default, the SingleValue module defines the following class -> color mappings:

None     -> grey (#999)
low      -> green (#72c72d)
guarded  -> blue (#4da6df)
elevated -> yellow (#e9da34)
high     -> orange (#e67918)
severe   -> red (#bb2121)

These values are defined in:

$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css

You can override them at either the application level by editing the file:

$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css

or at the view level by:

  1. Creating a custom view CSS file in the same directory as above
  2. Linking a view to that custom view CSS by adding it to the view XML node, i.e.,

    <view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">
    

Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.

View solution in original post

Contributor

To Rakesh: it's a little unclear what your desired output is. The search you specify will output a table with 2 values: a 'count' and then an enumeration. Are you trying to display 2 different images, or just a colored box? Do you want to see the actual count?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!