Solved: Re: Table Formats Coloring

MeMilo09 · ‎02-24-2022

Hello Splunk Community,

I am trying to replicate a heat map using the table formats app available through Splunk. I see the coloring of the cells when I use the stats command as below, but I need to have the data show as a chart. The issue is when I use chart all the color goes away from the table. Is there a work around for this problem?

<dashboard>
  <label>Table Formats</label>
  <description>Format columns using built-in table formats (coloring, number formatting).</description>
  <row>
    <panel>
      <table>
        <search>
          <query>
        index="Dept_data_idx"  eventType="Created" status="success" host=* | bucket _time span=1h | stats  count by _time host
          </query>
          <earliest>-7d</earliest>
          <latest>now</latest>
        </search>
       <format type="color" field="count">
          <colorPalette type="minMidMax" maxColor="#31A35F" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax"></scale>
        </format>
      </table>
      <html>   
      </html>
    </panel>
    </row>
</dashboard>

ITWhisperer · ‎02-25-2022

When you use chart, the field names become the values of your second dimension, host in your case. Try removing the filed="count" attribute from the format tag. this should apply the format to all fields, so you may need to add an extra format tag to undo this for fields you don't want this formatting to apply to.

View solution in original post

ITWhisperer · ‎02-25-2022

When you use chart, the field names become the values of your second dimension, host in your case. Try removing the filed="count" attribute from the format tag. this should apply the format to all fields, so you may need to add an extra format tag to undo this for fields you don't want this formatting to apply to.

MeMilo09 · ‎02-25-2022

Hi @ITWhisperer

Thanks removing the filed="count" did the trick. Would you help me understand why this works? So far I understand that the field names become values with chart... but don't understand how removing count from field helped with this problem. <format type="color" field=" ">

ITWhisperer · ‎02-25-2022

The field attribute to the format tag identifies which field to apply the format to. By removing this, it is applied to all fields. The chart command creates a table with columns for time and each host. None of the fields are called count any more, which is why the formatting stopped working when you replaced stats with chart.

MeMilo09 · ‎02-26-2022

Great, thanks!

tshah-splunk · ‎02-24-2022

Hey @MeMilo09,

You can use different options for formatting the chart. The reference for chart options can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.4/Viz/ChartConfigurationReference

This will help you enable colors in the heat map using chart as well.

---
If you find the answer helpful, an upvote/karma is appreciated

How to create a Table Formats Coloring

chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation