Solved: How to edit my search in order to assign colors to... - Page 2

ipv6freely · ‎11-02-2016

I have this search that I'm trying to use in a single value panel:

index=network sourcetype=juniper
host=RouterA AND ospf_interface="ge-0/0/0.0" |
RPD_OSPF_NBR* "Full to Down" |
dedup ospf_interface | 
stats count as counterdown | 
eval status = if (counterdown = "1","Impacted", if (counterdown = "2","Down", "OK"))
| table status

My single value panel is showing the statuses correctly (OK, Impacted, Down) but are not coloring them (because I assume the color ranges only work on numerical values).

Is there any way to make this work for text results?

niketn · ‎11-02-2016

Once you get the single value field through stats command ( I have renamed stats count as status as it make more sense)
You should define rangemap first on status to apply colors according to value (rangemap can either be low, high, severe, critical or green, cyan, amber, red etc). Refer to rangemap documentation for details (http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Rangemap)
Then finally use another eval expression to rename the rangemap field as string for more meaning like Impacted, Down, OK etc. in your case. Use case instead of nested if as this is less confusing and less likely error prone.

index=network sourcetype=juniper
host=RouterA AND ospf_interface="ge-0/0/0.0" |
RPD_OSPF_NBR* "Full to Down" |
dedup ospf_interface |
stats count as status | rangemap field=status low=0-0 high=1-1 severe=2-2 default=low | eval status=case(status== 1, "Impacted", status== 2, "Down", 1==1,"OK")

PS: You should also consider 0 value whether it is Low or Severe. I have treated that as Low in the following example.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

How to edit my search in order to assign colors to single value text?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes