Dashboards & Visualizations

How to build a dashboard with single panel value background color driven by text value

kbrookhouse
Engager

I'm attempting to build a dashboard that will have several single value panels that will be displaying text outputs of eval functions.

But I can not get the background color range to function at all based on the eval results.

host=<removed>* sourcetype=syslog ("Updated to versions" OR "Updating from versions") 
| rex Updat\w+\s(?<Status>\w+\s\w+)
| rex SAV:\s(?<SAV>\d+\.\d+\.\d+)
| rex Engine:\s(?<Engine>\d+\.\d+\.\d+)
| rex Data:\s(?<Data>\d+\.\d+)
| sort by host, _time, Status
| dedup SAV Engine Data host
| replace "from versions" WITH "Starting Version" IN Status
| replace "to versions" WITH "Version Changed" IN Status
| stats earliest(_time) as start, latest(_time) as stop, earliest(SAV) as eSAV, latest(SAV) as lSAV, earliest(Data) as eData, latest(Data) as lData, earliest(Engine) as eEngine, latest(Engine) as lEngine by host
| convert ctime(start) ctime(stop)
| eval cSAV=If(lSAV-eSAV!=0,"Updated","Unchanged")
| rename cSAV as "Virus Definition"
| table "Virus Definition" | eval range=if(lSAV-eSAV!=0,"0","5") | rangemap field=range low=0-0 severe=1-5

My panel will output the appropriate eval result (Updated or Unchanged) but the background coloring will stay black no matter what I've tried in previous questions.

0 Karma
1 Solution

niketn
Legend

[UPDATE] Reattached image as noticed rangemap was overridden in the Single Value due to Dashboard Edit while testing.


@kbrookhouse, this is kind of unrelated to the question. If SAV is version number like 1.0.1, then how come you are performing numerical calculation on the same i.e. lSAV-eSAV!=0?

Coming to your question. rangemap is not supposed to be used for Single Value coloring as any UI Editing to Single Value Format may override rangemap color. Splunk recommends migrating away from rangemap in Single Value for applying color, refer to following documentations.
https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...
http://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/AboutupgradingREADTHISFIRST#The_Splun...

However, you can try to edit the Simple XML and make sure that colorMode is set to block and useColors is set to 0. The useColor value 0 indicates that Format option from Editor will not be used to color. Hence color applied by rangemap will not be overridden. Keep the field name to display Single Value Text other than range as range will be used to apply the color. In the following example I have used status for Single Value query. Another point to remember is that do mention the default range for rangemap command for example default=severe

<option name="colorMode">block</option>
<option name="useColors">0</option>

If this does not work you might have to post your Simple XML Single Value visualization configuration as well.

PS: Splunk's Status Indicator Custom Visualization is a better visualization for this use case as it is specifically for representing status through color value and icon.
Refer to Following is a run anywhere dashboard to compare Similar Status by Single Value and Status Indicator:

alt text

Following is the run any where Simple XML dashboard code:

<dashboard>
  <label>Rangemap for Single Value Text Color</label>
  <row>
    <panel>
      <title>Single Value (color through rangemap)</title>
      <single>
        <search>
          <query>| makeresults
| eval status=replace(_time,"(\d+)(\d)","\2")
| eval status=case(status&lt;5,0,true(),1)
| fields - _time
| table status
| rangemap field=status low=0-0 severe=1-5 default=severe
| replace "0" with "Unchanged" in status
| replace "1" with "Updated" in status</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">150</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Status Indicator (color and icon)</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| eval range=replace(_time,"(\d+)(\d)","\2")
| eval range=case(range&lt;5,"Unchanged",true(),"Updated")
| eval icon=case(range=="Unchanged","thumbs-o-up",true(),"thumbs-o-down")
| eval color=case(range=="Unchanged","#65a637",true(),"#d93f3c")
| table range icon color</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">150</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

kbrookhouse
Engager

Your solution did the trick.

Ultimately, it came down to modifying the xml for usecolors = 0.

0 Karma

niketn
Legend

[UPDATE] Reattached image as noticed rangemap was overridden in the Single Value due to Dashboard Edit while testing.


@kbrookhouse, this is kind of unrelated to the question. If SAV is version number like 1.0.1, then how come you are performing numerical calculation on the same i.e. lSAV-eSAV!=0?

Coming to your question. rangemap is not supposed to be used for Single Value coloring as any UI Editing to Single Value Format may override rangemap color. Splunk recommends migrating away from rangemap in Single Value for applying color, refer to following documentations.
https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...
http://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/AboutupgradingREADTHISFIRST#The_Splun...

However, you can try to edit the Simple XML and make sure that colorMode is set to block and useColors is set to 0. The useColor value 0 indicates that Format option from Editor will not be used to color. Hence color applied by rangemap will not be overridden. Keep the field name to display Single Value Text other than range as range will be used to apply the color. In the following example I have used status for Single Value query. Another point to remember is that do mention the default range for rangemap command for example default=severe

<option name="colorMode">block</option>
<option name="useColors">0</option>

If this does not work you might have to post your Simple XML Single Value visualization configuration as well.

PS: Splunk's Status Indicator Custom Visualization is a better visualization for this use case as it is specifically for representing status through color value and icon.
Refer to Following is a run anywhere dashboard to compare Similar Status by Single Value and Status Indicator:

alt text

Following is the run any where Simple XML dashboard code:

<dashboard>
  <label>Rangemap for Single Value Text Color</label>
  <row>
    <panel>
      <title>Single Value (color through rangemap)</title>
      <single>
        <search>
          <query>| makeresults
| eval status=replace(_time,"(\d+)(\d)","\2")
| eval status=case(status&lt;5,0,true(),1)
| fields - _time
| table status
| rangemap field=status low=0-0 severe=1-5 default=severe
| replace "0" with "Unchanged" in status
| replace "1" with "Updated" in status</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">150</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Status Indicator (color and icon)</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| eval range=replace(_time,"(\d+)(\d)","\2")
| eval range=case(range&lt;5,"Unchanged",true(),"Updated")
| eval icon=case(range=="Unchanged","thumbs-o-up",true(),"thumbs-o-down")
| eval color=case(range=="Unchanged","#65a637",true(),"#d93f3c")
| table range icon color</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">150</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kbrookhouse
Engager

If SAV is version number like 1.0.1, then how come you are performing numerical calculation on the same i.e. lSAV-eSAV!=0?

To answer your question, I was tasked with making a very simple "at a glance" dashboard display in order to validate that version numbers are changing - therefore indicating updates are continuing to be processed. We've had issues in the past where the update mechanism has failed without throwing errors so this is our way of preventing that from happening again.

Extracting the SAV values from the log was necessary to do a comparison of the latest and earliest search results.

I will take a look at your suggestions and see what I can do.

0 Karma

niketn
Legend

@kbrookhouse, Thanks for the explanation. Yes I understand what is being done. My point was 1.0.1 and 2.1.1 will be treated as strings and not numbers. Hence mathematical operation like minus should fail. Ideally you should perform string comparison like >= or <= or simple == or != with two string values.

Since you have used minus, I was getting confused. In any case, do try out the dashboard and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...