Dashboards & Visualizations

How to highlight cells in the results table that match options selected in multiselect

noahdietrich
Explorer

Hello,

I have a multiselect list of the days of the week, and I want my search results table to be highlighted if those days are part of the event (there will be results shown that don't match the days of the week selected). I can't figure out how to highlight the cells in the results table that match the options selected in the multiselect. A simple example of what I thought would work but nothing gets highlighted:

<form>
  <label>After Hours Logons</label>
  <fieldset submitButton="true">
    <input type="multiselect" token="txt_weekend_days">
      <label>Weekend Days</label>
      <choice value="Saturday">Saurday</choice>
      <choice value="Sunday">Sunday</choice>
      <choice value="Monday">Monday</choice>
      <choice value="Tuesday">Tuesday</choice>
      <choice value="Wednesday">Wednesday</choice>
      <choice value="Thursday">Thursday</choice>
      <choice value="Friday">Friday</choice>
      <initialValue>Saturday,Sunday</initialValue>
      <valuePrefix>"</valuePrefix>
      <delimiter>, </delimiter>
      <valueSuffix>"</valueSuffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Logons</title>
      <table>
        <search>
          <query>index=wineventlog sourcetype="WinEventLog:Security" source="WinEventLog:Security" EventCode=4624
| eval day = strftime(_time,"%A") 
| table _time day host User</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="day">
          <colorPalette type="expression">if (value IN ($txt_weekend_days$),"#FF0000", "#00FF00")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</form>

So the issue is related to the line:

<colorPalette type="expression">if (value IN ($txt_weekend_days$),"#FF0000", "#00FF00")</colorPalette>

I tried a number of ways to format this but had no luck. does anyone know if this is possible? I know that the token txt_weekend_days expands to "Saturday", "Sunday" without issue, which should work with the IN statement, but it seems like the type of expression that the colorPalette accepts is limited.

I am running Splunk enterprise 7.2.6.

Thank you
Noah

0 Karma
1 Solution

poete
Builder

Hello @noahdietrich,
I played a bit with your question, and I could not have it work either, using the 'in' function.

I somehow found a workaround, and it looks like this :

First, I modified the multiselect.

<input type="multiselect" token="txt_weekend_days">
      <label>Weekend Days</label>
      <choice value="Saturday">Saurday</choice>
      <choice value="Sunday">Sunday</choice>
      <choice value="Monday">Monday</choice>
      <choice value="Tuesday">Tuesday</choice>
      <choice value="Wednesday">Wednesday</choice>
      <choice value="Thursday">Thursday</choice>
      <choice value="Friday">Friday</choice>
      <initialValue>Saturday,Sunday</initialValue>
      <delimiter>,</delimiter>
      <prefix>"</prefix>
      <suffix>"</suffix>
 </input>

This is in order to get a string as txt_weekend_days token

Then, as the in function does not seem to work witthin the expression of the colorPalette, I modified the condition too :

<format type="color" field="day">
          <colorPalette type="expression">if(isnotnull(mvfind(split($txt_weekend_days$,","),value)),"#FF0000", "#00FF00")</colorPalette>
</format>

It does the trick, as far I can see.

Yet be carefull, it does not seem the expression is re-evaluated every time the txt_weekend_daystoken is modified.

I hope this helps!

View solution in original post

0 Karma

noahdietrich
Explorer

that does solve the question. you are correct that the expresion is not re-evaluated each time the token is modified...which isn't good. I'll look into that.

0 Karma

poete
Builder

Hello @noahdietrich,
I played a bit with your question, and I could not have it work either, using the 'in' function.

I somehow found a workaround, and it looks like this :

First, I modified the multiselect.

<input type="multiselect" token="txt_weekend_days">
      <label>Weekend Days</label>
      <choice value="Saturday">Saurday</choice>
      <choice value="Sunday">Sunday</choice>
      <choice value="Monday">Monday</choice>
      <choice value="Tuesday">Tuesday</choice>
      <choice value="Wednesday">Wednesday</choice>
      <choice value="Thursday">Thursday</choice>
      <choice value="Friday">Friday</choice>
      <initialValue>Saturday,Sunday</initialValue>
      <delimiter>,</delimiter>
      <prefix>"</prefix>
      <suffix>"</suffix>
 </input>

This is in order to get a string as txt_weekend_days token

Then, as the in function does not seem to work witthin the expression of the colorPalette, I modified the condition too :

<format type="color" field="day">
          <colorPalette type="expression">if(isnotnull(mvfind(split($txt_weekend_days$,","),value)),"#FF0000", "#00FF00")</colorPalette>
</format>

It does the trick, as far I can see.

Yet be carefull, it does not seem the expression is re-evaluated every time the txt_weekend_daystoken is modified.

I hope this helps!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...