Hello Splunk Community,
I am trying to replicate a heat map using the table formats app available through Splunk. I see the coloring of the cells when I use the stats command as below, but I need to have the data show as a chart. The issue is when I use chart all the color goes away from the table. Is there a work around for this problem?
<dashboard>
<label>Table Formats</label>
<description>Format columns using built-in table formats (coloring, number formatting).</description>
<row>
<panel>
<table>
<search>
<query>
index="Dept_data_idx" eventType="Created" status="success" host=* | bucket _time span=1h | stats count by _time host
</query>
<earliest>-7d</earliest>
<latest>now</latest>
</search>
<format type="color" field="count">
<colorPalette type="minMidMax" maxColor="#31A35F" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
</table>
<html>
</html>
</panel>
</row>
</dashboard>
When you use chart, the field names become the values of your second dimension, host in your case. Try removing the filed="count" attribute from the format tag. this should apply the format to all fields, so you may need to add an extra format tag to undo this for fields you don't want this formatting to apply to.
When you use chart, the field names become the values of your second dimension, host in your case. Try removing the filed="count" attribute from the format tag. this should apply the format to all fields, so you may need to add an extra format tag to undo this for fields you don't want this formatting to apply to.
Hi @ITWhisperer
Thanks removing the filed="count" did the trick. Would you help me understand why this works? So far I understand that the field names become values with chart... but don't understand how removing count from field helped with this problem. <format type="color" field=" ">
The field attribute to the format tag identifies which field to apply the format to. By removing this, it is applied to all fields. The chart command creates a table with columns for time and each host. None of the fields are called count any more, which is why the formatting stopped working when you replaced stats with chart.
Great, thanks!
Hey @MeMilo09,
You can use different options for formatting the chart. The reference for chart options can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.4/Viz/ChartConfigurationReference
This will help you enable colors in the heat map using chart as well.