Solved: How to color Multivalued field in a dashboard xml?

Cheng2Ready · ‎08-06-2024

This is what I used
and after applying the results just highlights the entire mv field in red

<format type="color">
<colorPalette type="expression"> case (match(value,"Large Effect"), "#ff0000",match(value,"Medium Effect"), "#ffff00",match(value,"Small Effect"),"#00ff00",true(),"#ffffff")</colorPalette>
</format>

looking for

Small effect -> Green
Medium effect -> Orange
and Large effect -> Red

Continuing from this search:
@ITWhisperer
https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-csv-data-fields-message-data-into-fie...

ITWhisperer · ‎08-07-2024

Too many brackets - try like this

<colorPalette type="expression">case (match(value,"Large Effect") OR match(value,"No"),"#ff0000",match(value,"Medium Effect"), "#ffff00",match(value,"Small Effect"),"#00ff00",true(),"#ffffff")</colorPalette>

View solution in original post

ITWhisperer · ‎08-06-2024

You will need to mvexpand the field for that you can colour rows of the field

Cheng2Ready · ‎08-06-2024

That worked!
but im trying to color the words " Large Effect " and "No" to red
not sure what I did wrong here?

<colorPalette type="expression">case (match(value,"Large Effect") OR (match(value,"No"),"#ff0000",

match(value,"Medium Effect"), "#ffff00",match(value,"Small Effect"),"#00ff00",true(),"#ffffff")</colorPalette>

ITWhisperer · ‎08-07-2024

Too many brackets - try like this

<colorPalette type="expression">case (match(value,"Large Effect") OR match(value,"No"),"#ff0000",match(value,"Medium Effect"), "#ffff00",match(value,"Small Effect"),"#00ff00",true(),"#ffffff")</colorPalette>

How to color Multivalued field in a dashboard xml?

Classic dashboard

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?