Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How i can show the color for different values for multi panels

Anud
Path Finder
‎03-10-2025 06:27 AM

index=myindex NUM
| where isnull(NXT)
| dedup MC
| eval lrm_time=[ search index=myindex2
| eventstats min(_time) as min_time
| where _time=min_time
| table min_time
| dedup min_time | return $min_time ]
| eval formatted_time = strptime(AVAIL_TS, "%Y%m%d%H%M%S")
| eval lrm_frmt_time = strptime(strftime(lrm_time, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| eval final_time = if(formatted_time > lrm_frmt_time, formatted_time, null)
| where isnotnull(final_time)
| join NUM
[search index=myindex3 NUM
| eval ID = printf("%01d",ID)
| rename ID as NUM
| stats count by NUM
| eval timestatus=case(count > 5, "Complete", count == 0, "Incomplete", count > 0 AND count >= 5, "In Progress") ]
| search NUM = 1 | stats count AS Total

Here is the query using output will come count and that value shows using single value.
file runs 4 times daily. I will create 4 panels show the NUM =1, 2, 3, 4 count.
how i can show the field timestatus output is complete, incomplete and inprogress for each panel color.

Thanks in Advance!

Labels (4)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2025 07:17 AM

Firstly, you need a search which delivers the value you want. This search is a bit confusing. You are formatting a time field and then within the same statement parsing the result using exactly to same format string. You may as well evaluate lrm_frmt_time to lrm_time.

timestatus is coming from your join but you are ignoring it in your final stats command so it is thrown away.

You should try to avoid joins if possible, therefore, I suggest you rewrite the search (or provide a working version), or is that what you are seeking help with, as opposed to how to set the colour on a single visualisation?

0 Karma
Reply

Anud
Path Finder
‎03-10-2025 07:24 AM

Thank you very much for your quick response!
yes, Need visualization based on timestatus wether it is completed,inprogress and incomplete.

index=myindex NUM
| where isnull(NXT)
| dedup MC
| join NUM
[search index=myindex3 ID
| eval ID = printf("%01d",ID)
| rename ID as NUM
| stats count by NUM
| eval timestatus=case(count >5, "Complete", count == 0, "Incomplete", count > 0 AND count >= 5, "In Progress") ]
| search NUM = 1 | stats count AS Total

Output is to show only total count. background "NUM" wise  we need to display the colors based on the field "timestatus"


 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...