Dashboards & Visualizations
Highlighted

How to edit my search in order to assign colors to single value text?

Engager

I have this search that I'm trying to use in a single value panel:

index=network sourcetype=juniper
host=RouterA AND ospf_interface="ge-0/0/0.0" |
RPD_OSPF_NBR* "Full to Down" |
dedup ospf_interface | 
stats count as counterdown | 
eval status = if (counterdown = "1","Impacted", if (counterdown = "2","Down", "OK"))
| table status

My single value panel is showing the statuses correctly (OK, Impacted, Down) but are not coloring them (because I assume the color ranges only work on numerical values).

Is there any way to make this work for text results?

0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Splunk Employee
Splunk Employee

Pretty sure this is what you'er looking for:
Status Indicator Custom Visualization:
https://splunkbase.splunk.com/app/3119

The doc is here, and there is an example and discussion about dynamic color and rangemapping.
http://docs.splunk.com/Documentation/StatusIndicator/1.1.0/StatusIndicatorViz/StatusIndicatorSearchD...

You'll structure things a bit differently, but this visualization will use the words or in this case... better... icons reflecting the sentiment "Impacted" or "Down" or "Okay"

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Engager

We have that visualization but I couldn't figure out how to use it for my use case. I don't see how to make it change based on the output I have.

0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Legend
  1. Once you get the single value field through stats command ( I have renamed stats count as status as it make more sense)

  2. You should define rangemap first on status to apply colors according to value (rangemap can either be low, high, severe, critical or green, cyan, amber, red etc). Refer to rangemap documentation for details (http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Rangemap)

  3. Then finally use another eval expression to rename the rangemap field as string for more meaning like Impacted, Down, OK etc. in your case. Use case instead of nested if as this is less confusing and less likely error prone.

    index=network sourcetype=juniper
    host=RouterA AND ospfinterface="ge-0/0/0.0" |
    RPD
    OSPFNBR* "Full to Down" |
    dedup ospf
    interface |
    stats count as status | rangemap field=status low=0-0 high=1-1 severe=2-2 default=low | eval status=case(status== 1, "Impacted", status== 2, "Down", 1==1,"OK")

PS: You should also consider 0 value whether it is Low or Severe. I have treated that as Low in the following example.




| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: How to edit my search in order to assign colors to single value text?

Engager

Case is definitely cleaner, so thank you for that. I think rangemap is also what I'm looking for as well.

The odd thing is when I use that search and go to the visualization tab, it works (a value of 2 shows "Down" in red text). But in my dashboard it doesn't work. It just stays grey and white. I don't know what I'm doing wrong there... same exact search string.

0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Legend

Since we are using rangemap in SPL to compute color ranges, we have to ensure that we don't try to use Single Value panel's Color by value option. In order to ensure the same either
Option 1) Delete and add the Single Value panel again through search
or
Option 2) Edit the Simple XML of dashboard and set <option name="useColors">0</option>

Hope this helps! Let me know otherwise.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Engager

How odd... seems like a bug. Creating a new panel definitely worked and the text was green. Then I hit the paintbrush icon to edit and it immediately switched to black.

I want it to have the green background with the white text, like it would if I was using the color by value option.

I'll try editing the XML and see if I can make that work.

0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Engager

Looks like the secret is to make sure you DON'T click that brush icon... that adds in a whole bunch of options that break everything.

Add the new panel with the search, then edit the XML to add JUST the colorMode block option, and nothing else. Then it works.

Still screams bug to me that just opening up an options pane would break the rangemap coloring.

0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Engager

alt text

0 Karma
Highlighted

Re: How to edit my search in order to assign colors to single value text?

Legend

If you want to implement Status Indicator query should have field value for color (ex: rangecolor below ) and icon (ex: rangeicon below ) both.

index=network sourcetype=juniper
host=RouterA AND ospf_interface="ge-0/0/0.0" |
RPD_OSPF_NBR* "Full to Down" |
dedup ospf_interface | 
stats count as status | rangemap field=status green=0-0 red=1-1 default=low|eval range_color=range | rangemap field=status arrow-circle-o-up=0-0 arrow-circle-o-down=1-1 default=arrow-circle-o-up | eval range_icon=range | eval status=case(status== 1, "Down", "Down", 1==1,"OK") | table status , range_icon, range_color

Also in dashboard you would need following options set for using color, filling background, using field value for color and field value for icon respectively:

<option name="status_indicator_app.status_indicator.useColors">true</option>
<option name="status_indicator_app.status_indicator.fillTarget">background</option>
<option name="status_indicator_app.status_indicator.colorBy">field_value</option>
<option name="status_indicator_app.status_indicator.icon">field_value</option>

Hope this work. let me know otherwise. PS: I have taken out value 2 for simplicity.




| eval message="Happy Splunking!!!"


0 Karma