Dashboards & Visualizations

How to enable event type coloring?

twinspop
Influencer

I cannot get event type coloring to work strictly by defining a new event type in Splunk Web and assigning it a color. Is there a configuration toggle somewhere to enable/disable event type coloring?

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Do you have event_renderers.conf listed in your $SPLUNK_HOME/etc/system/local?

If not then create the file with the following

plEvent-et_blue .t { color:#00F; }
.splEvent-et_green .t { color:#0C0; }
.splEvent-et_magenta .t { color:#F09; }
.splEvent-et_orange .t { color:#F30; }
.splEvent-et_purple .t { color:#90C; }
.splEvent-et_red .t { color:#F00; }
.splEvent-et_sky .t { color:#09F; }
.splEvent-et_teal .t { color:#099; }
.splEvent-et_yellow .t { color:#990; }

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

Do you have event_renderers.conf listed in your $SPLUNK_HOME/etc/system/local?

If not then create the file with the following

plEvent-et_blue .t { color:#00F; }
.splEvent-et_green .t { color:#0C0; }
.splEvent-et_magenta .t { color:#F09; }
.splEvent-et_orange .t { color:#F30; }
.splEvent-et_purple .t { color:#90C; }
.splEvent-et_red .t { color:#F00; }
.splEvent-et_sky .t { color:#09F; }
.splEvent-et_teal .t { color:#099; }
.splEvent-et_yellow .t { color:#990; }

twinspop
Influencer

On the working server, this is the event_renderers.conf content:

/app/splunk/etc> splunk btool event_renderers list
[crawled_files_stanza]
css_class =
eventtype = crawled_files
priority = 200
template = crawledfile.html
[default]
css_class =
eventtype =
priority = 0
template = //results/EventsViewer_default_renderer.html
[discovered_eventtype_stanza]
css_class =
eventtype = discovered_eventtype
priority = 200
template = discovered.html

I'll try adding the above to the non-working server.

0 Karma

twinspop
Influencer

So weird your suggestion worked. My working install didn't need it, why does this one? Strange. Anyway, thanks for the fix.

0 Karma

lguinn2
Legend

Where do you expect eventtype coloring to appear?

0 Karma

twinspop
Influencer

In the event viewer. When you have a list of events returns from a search, click on the > in the "i" column. Now under event actions, select build event type. In the resulting page save your event type. You will be given a choice of colors to assign to it. Once the event type definition takes effect, your search results will be color coded. Like this: http://imgur.com/a/sTQRQ This works on a fresh install of splunk. But on my currently in-use system, it doesn't. There must be a setting somewhere to toggle it?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...