@ITWhisperer I want to compare two field values match.If does not match i want to colour both the fields.

index="mulesoft" applicationName="s-concur-api" environment=PRD priority timestamp (tracePoint="EXCEPTION") OR
    ("Concur Ondemand Started*") OR (message="Expense Extract Process started for jobName :*") OR ("Before Calling flow archive-Concur*") OR (message="*(SUCCESS): Concur AP/GL Extract V*") OR (message="Records Count Validation*") OR (message="API: START: /v1/expense/extract/ondemand*" OR message="API: START: /v1/fin*") OR (message="Post - Expense Extract processing to Oracle*") OR (message="Concur AP/GL File/s Process Status") OR (message="*(ERROR):*") 
| search NOT message IN ("API: START: /v1/expense/extract/ondemand/accrual*") 
| spath content.payload{} 
| mvexpand content.payload{} 
| transaction correlationId 
| rename content.SourceFileName as SourceFileName content.JobName as JobName content.loggerPayload.archiveFileName AS ArchivedFileName content.payload{} as response content.Region as Region content.ConcurRunId as ConcurRunId content.HeaderCount as HeaderCount content.SourceFileDTLCount 
    as SourceFileDTLCount content.APRecordsCountStaged
    as APRecordsCountStaged content.GLRecordsCountStaged
    as GLRecordsCountStaged content.TotalAPGLRecordsCountStaged as TotalAPGLRecordsCountStaged 
    content.ErrorMsg as errorMessage content.errorMsg as error content.errorMsg as error "content.payload{}.AP Import flow processing results{}.requestID" as RequestID "content.payload{}.GL Import flow processing results{}.impConReqId" as ImpConReqId 
| rex field=message max_match=0 "Expense Extract Process started for (?<FileName>[^\n]+)" 
| rex field=message max_match=0 "API: START: /v1/expense/extract/ondemand/(?<OtherRegion>[^\/]+)\/(?<OnDemandFileName>\S+)" 
| eval OtherRegion=upper(OtherRegion) 
| eval OnDemandFileName=rtrim(OnDemandFileName,"Job") 
| eval "FileName/JobName"= coalesce(OnDemandFileName,JobName) 
| eval JobType=case(like('message',"%Concur Ondemand Started%"),"OnDemand",like('message',"%API: START: /v1/expense/extract/ondemand%"),"OnDemand",like('message',"Expense Extract Process started%"),"Scheduled") 
| eval Status=case(like('message' ,"%Concur AP/GL File/s Process Status%"),"SUCCESS", like('tracePoint',"%EXCEPTION%"),"ERROR") 
| eval Region= coalesce(Region,OtherRegion) 
| eval OracleRequestId=mvappend("RequestId:",RequestID,"ImpConReqid:",ImpConReqId) 
| eval CheckMatch = if(isnull(SourceFileDTLCount) OR isnull(TotalAPGLRecordsCountStaged), "not matched", "matched") 
| eventstats min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time by correlationId 
| eval StartTime=round(strptime(Logon_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) 
| eval EndTime=round(strptime(Logoff_Time, "%Y-%m-%dT%H:%M:%S.%QZ")) 
| eval ElapsedTimeInSecs=EndTime-StartTime 
| eval "Total Elapsed Time"=strftime(ElapsedTimeInSecs,"%H:%M:%S") 
| eval sign=if(SourceFileDTLCount == TotalAPGLRecordsCountStaged,"GREEN", "YELLOW") 
| rename Logon_Time as Timestamp 
| table Status JobType "FileName/JobName" Timestamp Region ConcurRunId HeaderCount SourceFileDTLCount APRecordsCountStaged GLRecordsCountStaged TotalAPGLRecordsCountStaged ArchivedFileName ElapsedTimeInSecs "Total Elapsed Time" OracleRequestId correlationId 
| join correlationId type=left 
    [ search index="mulesoft" applicationName="s-concur-api" (message="*(SUCCESS): Concur AP/GL Extract V.3.02 - *. Concur Batch ID: * Company Code: * Operating Unit: *") 
    | eval Message=case(like('message',"%(SUCCESS): Concur AP/GL Extract V.3.02 - %. Concur Batch ID: % Company Code: % Operating Unit: %"),message) 
    | table Message correlationId
        ] 
| eval Response= coalesce(error,errorMessage,Message) 
| table Status JobType "FileName/JobName" Timestamp CheckMatch Region ConcurRunId HeaderCount SourceFileDTLCount APRecordsCountStaged GLRecordsCountStaged TotalAPGLRecordsCountStaged ArchivedFileName ElapsedTimeInSecs "Total Elapsed Time" sign OracleRequestId Response correlationId 
| fields - ElapsedTimeInSecs priority 
| where JobType!=" " 
| search Status="*"

OK so use eval with an if such that if the two fields are equal mvappend a value that the formatting picks up to change the colour to what you want. (See the example in the link I provided)

Hi @ITWhisperer 

I used to this stanze to check the values are match.If i append in mvappend its showing both the values.How to set rules in dashboard.could you pls help on it.

| eval match=if(SourceFileDTLCount=TotalAPGLRecordsCountStaged,"Match","Not Match")
| eval SourceFileDTLCount=mvappend(SourceFileDTLCount,match)

As I said earlier, you can use CSS - follow the example in this reply

Re: How to color the columns based on previous co... - Splunk Community

As you mentioned i tried the mvappend the fields and its showing both the values in the table .The thing i need to show only when if it is not matched then i need to show the colours.

| eval match=if(SourceFileDTLCount=TotalAPGLRecordsCountStaged, " ", if(SourceFileDTLCount!=TotalAPGLRecordsCountStaged, "Not Match","RED"))
| eval SourceFileDTLCount=mvappend(SourceFileDTLCount,match)

Hi @ITWhisperer 
Its working but if i want to use any multivalue filed in the table.So the result might be affect right.If there is any possible to hide values for particular table using css.

As I said, change the tableCellColourWithoutJS to be the id of your panel

@ITWhisperer  I asking for particular table column. Where to use id in it. In the below screenshot both the column has multi value field .If use the tableCellColourWithoutJS another column is affecting .So I want hide mv index for particular column

Got it. Try like this - you may have to adjust the child number depending on which column you want the CSS to apply to

    <panel depends="$stayhidden$">
      <html>
        <style>
          #tableCellColourWithoutJS table tbody td:nth-child(1) div.multivalue-subcell[data-mv-index="1"]{
            display: none;
          }
        </style>
      </html>
    </panel>