How to color the column based on the value of anot...

darrfang

Hey Splunk team,

I have a data similar to this:

| makeresults
| eval data="ABC,10,15;DEF,12,13;GHI,11,14"
| makemv delim=";" data
| mvexpand data
| eval label=mvindex(split(data,","),0)
| eval duration1=tonumber(mvindex(split(data,","),1))
| eval duration2=tonumber(mvindex(split(data,","),2))
| eval duration_diff=abs(duration1 - duration2)
| table label duration1 duration2 duration_diff

which I wanted to highlight the color in red, if value of abs(duration1 - duration2) is >2, making the column red. In the example above, column 10, 15 & 11, 14 should be red.

I tried to do something like this but not able to get it work, could you help me how to do that, thank you!

<format type="color" field="duration2">
    <colorPalette type="expression">if ($row.duration_diff$ &gt; 2 ,"#DC4E41", null())</colorPalette>
</format>

tscroggins

Hi @darrfang,

You can use CSS to manipulate cell foreground and background colors. This example uses the duration_diff field's style as a key, changes the duration1 and duration2 cell colors, and then hides the duration_diff field's associated th and td elements:

<dashboard version="1.1" theme="light">
  <label>range_table</label>
  <row>
    <panel>
      <html id="my_html">
        <style>
          #my_table td:not([data-cell-index="0"]):has(~ .color-formatted[style="color: rgb(255, 255, 255); background-color: rgb(212, 31, 31);"]) {
            color: rgb(255, 255, 255);
            background-color: rgb(212, 31, 31);
          }

          #my_table td.color-formatted {
            display: none !important;
          }
          
          #my_table th[data-sort-key="duration_diff"] {
            display: none !important;
          }
          
          #my_html {
            display: none !important;
          }
        </style>   
      </html>
      <table id="my_table">
        <search>
          <query>| makeresults
| eval data="ABC,10,15;DEF,12,13;GHI,11,14"
| makemv delim=";" data
| mvexpand data
| eval label=mvindex(split(data,","),0)
| eval duration1=tonumber(mvindex(split(data,","),1))
| eval duration2=tonumber(mvindex(split(data,","),2))
| eval duration_diff=abs(duration1 - duration2)
| table _time duration1 duration2 duration_diff</query>
          <earliest>0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <format type="color" field="duration_diff">
          <colorPalette type="list">[#FFFFFF,#D41F1F]</colorPalette>
          <scale type="threshold">2</scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>

ITWhisperer

The row tokens don't work in palette expressions. You could try something like this:

Essentially, the technique is to create a multi-value field with a tag for the colour you want to be used, then use format/colorPalette to set the colour and some CSS to hide the extra value in the multi-value field

See this solution https://community.splunk.com/t5/Splunk-Search/How-to-change-table-cell-background-color-depends-on-s...

PickleRick

What do you actually want to change colour of? A column? I suppose it is a row but you keep repeating "column" as if it was no mistake.

How to color the column based on the value of another row in splunk dashboard

Classic dashboard

CSS

table

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation