Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How i can show the color for different values for multi panels

Anud
Path Finder
‎03-10-2025 06:27 AM

index=myindex NUM
| where isnull(NXT)
| dedup MC
| eval lrm_time=[ search index=myindex2
| eventstats min(_time) as min_time
| where _time=min_time
| table min_time
| dedup min_time | return $min_time ]
| eval formatted_time = strptime(AVAIL_TS, "%Y%m%d%H%M%S")
| eval lrm_frmt_time = strptime(strftime(lrm_time, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval final_time = if(formatted_time > lrm_frmt_time, formatted_time, null)
| where isnotnull(final_time)
| join NUM
[search index=myindex3 NUM
| eval ID = printf("%01d",ID)
| rename ID as NUM
| stats count by NUM
| eval timestatus=case(count > 5, "Complete", count == 0, "Incomplete", count > 0 AND count >= 5, "In Progress") ]
| search NUM = 1 | stats count AS Total

Here is the query using output will come count and that value shows using single value.
file runs 4 times daily. I will create 4 panels show the NUM =1, 2, 3, 4 count.
how i can show the field timestatus output is complete, incomplete and inprogress for each panel color.

Thanks in Advance!

Labels (4)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2025 07:17 AM

Firstly, you need a search which delivers the value you want. This search is a bit confusing. You are formatting a time field and then within the same statement parsing the result using exactly to same format string. You may as well evaluate lrm_frmt_time to lrm_time.

timestatus is coming from your join but you are ignoring it in your final stats command so it is thrown away.

You should try to avoid joins if possible, therefore, I suggest you rewrite the search (or provide a working version), or is that what you are seeking help with, as opposed to how to set the colour on a single visualisation?

0 Karma
Reply

Anud
Path Finder
‎03-10-2025 07:24 AM

Thank you very much for your quick response!
yes, Need visualization based on timestatus wether it is completed,inprogress and incomplete.

index=myindex NUM
| where isnull(NXT)
| dedup MC
| join NUM
[search index=myindex3 ID
| eval ID = printf("%01d",ID)
| rename ID as NUM
| stats count by NUM
| eval timestatus=case(count >5, "Complete", count == 0, "Incomplete", count > 0 AND count >= 5, "In Progress") ]
| search NUM = 1 | stats count AS Total

Output is to show only total count. background "NUM" wise  we need to display the colors based on the field "timestatus"


 

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...