How to color the column based upon time?

Veeru · ‎04-30-2022

Hello,

I have the dashboard panel which gives latest time with respect to source and host,

now I want to give a color to the rows where time exceeds more than one in last 7 days. Please help me out.

index=A OR index=B | stats latest(_time) as latest_time by source,host | eval latest_time=strftime(latest_time,"%d/%m/%y %H:%M:%S:%Q") | table latest_time,source,host|sort -latest_time

when the time range is more than 24 hours the column should be in red.as mentioned below

Thnak you in advance,

Veeru.

latest_time source host

01/05/22 23:19:08:898	trace.log	y
30/04/22 23:19:08:597	SystemOut.log	y
30/04/22 23:19:08:388	SystemOut.log	x
30/04/22 23:19:08:388	trace.log	x
30/04/22 23:19:05:611	SystemOut.log	y
30/04/22 23:19:05:611	trace.log	x
30/04/22 23:09:40:000	SystemOut.log	y
30/04/22 23:06:05:000	SystemOut.log	x
30/04/22 22:57:14:000	SystemOut.log	y

ITWhisperer · ‎05-01-2022

index=A OR index=B
| stats latest(_time) as latest_time by source,host
| table latest_time,source,host
| sort latest_time
| streamstats window=2 range(latest_time) as timerange
| eval colour=if(timerange>24*60*60),"red",null())
| fields -timerange
| sort -latest_time
| fieldformat latest_time=strftime(latest_time,"%d/%m/%y %H:%M:%S:%Q")

Then use colour to indicate that the row needs to be coloured - there are many answers on how to do this

How to color the column based upon time?

CSS

panel

simple XML

table

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

How to color the column based upon time?

CSS

panel

simple XML

table

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk