Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How i can show the color for different values for multi panels

Anud
Path Finder
‎03-10-2025 06:27 AM

index=myindex NUM
| where isnull(NXT)
| dedup MC
| eval lrm_time=[ search index=myindex2
| eventstats min(_time) as min_time
| where _time=min_time
| table min_time
| dedup min_time | return $min_time ]
| eval formatted_time = strptime(AVAIL_TS, "%Y%m%d%H%M%S")
| eval lrm_frmt_time = strptime(strftime(lrm_time, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval final_time = if(formatted_time > lrm_frmt_time, formatted_time, null)
| where isnotnull(final_time)
| join NUM
[search index=myindex3 NUM
| eval ID = printf("%01d",ID)
| rename ID as NUM
| stats count by NUM
| eval timestatus=case(count > 5, "Complete", count == 0, "Incomplete", count > 0 AND count >= 5, "In Progress") ]
| search NUM = 1 | stats count AS Total

Here is the query using output will come count and that value shows using single value.
file runs 4 times daily. I will create 4 panels show the NUM =1, 2, 3, 4 count.
how i can show the field timestatus output is complete, incomplete and inprogress for each panel color.

Thanks in Advance!

Labels (4)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2025 07:17 AM

Firstly, you need a search which delivers the value you want. This search is a bit confusing. You are formatting a time field and then within the same statement parsing the result using exactly to same format string. You may as well evaluate lrm_frmt_time to lrm_time.

timestatus is coming from your join but you are ignoring it in your final stats command so it is thrown away.

You should try to avoid joins if possible, therefore, I suggest you rewrite the search (or provide a working version), or is that what you are seeking help with, as opposed to how to set the colour on a single visualisation?

0 Karma
Reply

Anud
Path Finder
‎03-10-2025 07:24 AM

Thank you very much for your quick response!
yes, Need visualization based on timestatus wether it is completed,inprogress and incomplete.

index=myindex NUM
| where isnull(NXT)
| dedup MC
| join NUM
[search index=myindex3 ID
| eval ID = printf("%01d",ID)
| rename ID as NUM
| stats count by NUM
| eval timestatus=case(count >5, "Complete", count == 0, "Incomplete", count > 0 AND count >= 5, "In Progress") ]
| search NUM = 1 | stats count AS Total

Output is to show only total count. background "NUM" wise  we need to display the colors based on the field "timestatus"


 

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...