Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to build a dashboard with single panel value background color driven by text value

kbrookhouse
Engager
‎12-06-2017 10:16 AM

I'm attempting to build a dashboard that will have several single value panels that will be displaying text outputs of eval functions.

But I can not get the background color range to function at all based on the eval results.

host=<removed>* sourcetype=syslog ("Updated to versions" OR "Updating from versions") 
| rex Updat\w+\s(?<Status>\w+\s\w+)
| rex SAV:\s(?<SAV>\d+\.\d+\.\d+)
| rex Engine:\s(?<Engine>\d+\.\d+\.\d+)
| rex Data:\s(?<Data>\d+\.\d+)
| sort by host, _time, Status
| dedup SAV Engine Data host
| replace "from versions" WITH "Starting Version" IN Status
| replace "to versions" WITH "Version Changed" IN Status
| stats earliest(_time) as start, latest(_time) as stop, earliest(SAV) as eSAV, latest(SAV) as lSAV, earliest(Data) as eData, latest(Data) as lData, earliest(Engine) as eEngine, latest(Engine) as lEngine by host
| convert ctime(start) ctime(stop)
| eval cSAV=If(lSAV-eSAV!=0,"Updated","Unchanged")
| rename cSAV as "Virus Definition"
| table "Virus Definition" | eval range=if(lSAV-eSAV!=0,"0","5") | rangemap field=range low=0-0 severe=1-5

My panel will output the appropriate eval result (Updated or Unchanged) but the background coloring will stay black no matter what I've tried in previous questions.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎12-06-2017 12:06 PM

[UPDATE] Reattached image as noticed rangemap was overridden in the Single Value due to Dashboard Edit while testing.

@kbrookhouse, this is kind of unrelated to the question. If SAV is version number like 1.0.1, then how come you are performing numerical calculation on the same i.e. lSAV-eSAV!=0?

Coming to your question. rangemap is not supposed to be used for Single Value coloring as any UI Editing to Single Value Format may override rangemap color. Splunk recommends migrating away from rangemap in Single Value for applying color, refer to following documentations.
https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...
http://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/AboutupgradingREADTHISFIRST#The_Splun...

However, you can try to edit the Simple XML and make sure that colorMode is set to block and useColors is set to 0. The useColor value 0 indicates that Format option from Editor will not be used to color. Hence color applied by rangemap will not be overridden. Keep the field name to display Single Value Text other than range as range will be used to apply the color. In the following example I have used status for Single Value query. Another point to remember is that do mention the default range for rangemap command for example default=severe

<option name="colorMode">block</option>
<option name="useColors">0</option>

If this does not work you might have to post your Simple XML Single Value visualization configuration as well.

PS: Splunk's Status Indicator Custom Visualization is a better visualization for this use case as it is specifically for representing status through color value and icon.
Refer to Following is a run anywhere dashboard to compare Similar Status by Single Value and Status Indicator:

alt text

Following is the run any where Simple XML dashboard code:

<dashboard>
  <label>Rangemap for Single Value Text Color</label>
  <row>
    <panel>
      <title>Single Value (color through rangemap)</title>
      <single>
        <search>
          <query>| makeresults
| eval status=replace(_time,"(\d+)(\d)","\2")
| eval status=case(status&lt;5,0,true(),1)
| fields - _time
| table status
| rangemap field=status low=0-0 severe=1-5 default=severe
| replace "0" with "Unchanged" in status
| replace "1" with "Updated" in status</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">150</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Status Indicator (color and icon)</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| eval range=replace(_time,"(\d+)(\d)","\2")
| eval range=case(range&lt;5,"Unchanged",true(),"Updated")
| eval icon=case(range=="Unchanged","thumbs-o-up",true(),"thumbs-o-down")
| eval color=case(range=="Unchanged","#65a637",true(),"#d93f3c")
| table range icon color</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">150</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

kbrookhouse
Engager
‎12-11-2017 09:36 AM

Your solution did the trick.

Ultimately, it came down to modifying the xml for usecolors = 0.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎12-06-2017 12:06 PM

[UPDATE] Reattached image as noticed rangemap was overridden in the Single Value due to Dashboard Edit while testing.

@kbrookhouse, this is kind of unrelated to the question. If SAV is version number like 1.0.1, then how come you are performing numerical calculation on the same i.e. lSAV-eSAV!=0?

Coming to your question. rangemap is not supposed to be used for Single Value coloring as any UI Editing to Single Value Format may override rangemap color. Splunk recommends migrating away from rangemap in Single Value for applying color, refer to following documentations.
https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...
http://docs.splunk.com/Documentation/Splunk/7.0.0/Installation/AboutupgradingREADTHISFIRST#The_Splun...

However, you can try to edit the Simple XML and make sure that colorMode is set to block and useColors is set to 0. The useColor value 0 indicates that Format option from Editor will not be used to color. Hence color applied by rangemap will not be overridden. Keep the field name to display Single Value Text other than range as range will be used to apply the color. In the following example I have used status for Single Value query. Another point to remember is that do mention the default range for rangemap command for example default=severe

<option name="colorMode">block</option>
<option name="useColors">0</option>

If this does not work you might have to post your Simple XML Single Value visualization configuration as well.

PS: Splunk's Status Indicator Custom Visualization is a better visualization for this use case as it is specifically for representing status through color value and icon.
Refer to Following is a run anywhere dashboard to compare Similar Status by Single Value and Status Indicator:

alt text

Following is the run any where Simple XML dashboard code:

<dashboard>
  <label>Rangemap for Single Value Text Color</label>
  <row>
    <panel>
      <title>Single Value (color through rangemap)</title>
      <single>
        <search>
          <query>| makeresults
| eval status=replace(_time,"(\d+)(\d)","\2")
| eval status=case(status&lt;5,0,true(),1)
| fields - _time
| table status
| rangemap field=status low=0-0 severe=1-5 default=severe
| replace "0" with "Unchanged" in status
| replace "1" with "Updated" in status</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="height">150</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0xd93f3c"]</option>
        <option name="rangeValues">[0]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Status Indicator (color and icon)</title>
      <viz type="status_indicator_app.status_indicator">
        <search>
          <query>| makeresults
| eval range=replace(_time,"(\d+)(\d)","\2")
| eval range=case(range&lt;5,"Unchanged",true(),"Updated")
| eval icon=case(range=="Unchanged","thumbs-o-up",true(),"thumbs-o-down")
| eval color=case(range=="Unchanged","#65a637",true(),"#d93f3c")
| table range icon color</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="height">150</option>
        <option name="status_indicator_app.status_indicator.colorBy">field_value</option>
        <option name="status_indicator_app.status_indicator.fillTarget">background</option>
        <option name="status_indicator_app.status_indicator.fixIcon">warning</option>
        <option name="status_indicator_app.status_indicator.icon">field_value</option>
        <option name="status_indicator_app.status_indicator.precision">0</option>
        <option name="status_indicator_app.status_indicator.showOption">1</option>
        <option name="status_indicator_app.status_indicator.staticColor">#d93f3c</option>
        <option name="status_indicator_app.status_indicator.useColors">true</option>
        <option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

kbrookhouse
Engager
‎12-06-2017 12:14 PM

If SAV is version number like 1.0.1, then how come you are performing numerical calculation on the same i.e. lSAV-eSAV!=0?

To answer your question, I was tasked with making a very simple "at a glance" dashboard display in order to validate that version numbers are changing - therefore indicating updates are continuing to be processed. We've had issues in the past where the update mechanism has failed without throwing errors so this is our way of preventing that from happening again.

Extracting the SAV values from the log was necessary to do a comparison of the latest and earliest search results.

I will take a look at your suggestions and see what I can do.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-06-2017 12:31 PM

@kbrookhouse, Thanks for the explanation. Yes I understand what is being done. My point was 1.0.1 and 2.1.1 will be treated as strings and not numbers. Hence mathematical operation like minus should fail. Ideally you should perform string comparison like >= or <= or simple == or != with two string values.

Since you have used minus, I was getting confused. In any case, do try out the dashboard and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...