- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to highlight cells in the results table that m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a multiselect list of the days of the week, and I want my search results table to be highlighted if those days are part of the event (there will be results shown that don't match the days of the week selected). I can't figure out how to highlight the cells in the results table that match the options selected in the multiselect. A simple example of what I thought would work but nothing gets highlighted:
<form>
<label>After Hours Logons</label>
<fieldset submitButton="true">
<input type="multiselect" token="txt_weekend_days">
<label>Weekend Days</label>
<choice value="Saturday">Saurday</choice>
<choice value="Sunday">Sunday</choice>
<choice value="Monday">Monday</choice>
<choice value="Tuesday">Tuesday</choice>
<choice value="Wednesday">Wednesday</choice>
<choice value="Thursday">Thursday</choice>
<choice value="Friday">Friday</choice>
<initialValue>Saturday,Sunday</initialValue>
<valuePrefix>"</valuePrefix>
<delimiter>, </delimiter>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<title>Logons</title>
<table>
<search>
<query>index=wineventlog sourcetype="WinEventLog:Security" source="WinEventLog:Security" EventCode=4624
| eval day = strftime(_time,"%A")
| table _time day host User</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="day">
<colorPalette type="expression">if (value IN ($txt_weekend_days$),"#FF0000", "#00FF00")</colorPalette>
</format>
</table>
</panel>
</row>
</form>
So the issue is related to the line:
<colorPalette type="expression">if (value IN ($txt_weekend_days$),"#FF0000", "#00FF00")</colorPalette>
I tried a number of ways to format this but had no luck. does anyone know if this is possible? I know that the token txt_weekend_days expands to "Saturday", "Sunday" without issue, which should work with the IN statement, but it seems like the type of expression that the colorPalette accepts is limited.
I am running Splunk enterprise 7.2.6.
Thank you
Noah
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @noahdietrich,
I played a bit with your question, and I could not have it work either, using the 'in' function.
I somehow found a workaround, and it looks like this :
First, I modified the multiselect.
<input type="multiselect" token="txt_weekend_days">
<label>Weekend Days</label>
<choice value="Saturday">Saurday</choice>
<choice value="Sunday">Sunday</choice>
<choice value="Monday">Monday</choice>
<choice value="Tuesday">Tuesday</choice>
<choice value="Wednesday">Wednesday</choice>
<choice value="Thursday">Thursday</choice>
<choice value="Friday">Friday</choice>
<initialValue>Saturday,Sunday</initialValue>
<delimiter>,</delimiter>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
This is in order to get a string as txt_weekend_days token
Then, as the in function does not seem to work witthin the expression of the colorPalette, I modified the condition too :
<format type="color" field="day">
<colorPalette type="expression">if(isnotnull(mvfind(split($txt_weekend_days$,","),value)),"#FF0000", "#00FF00")</colorPalette>
</format>
It does the trick, as far I can see.
Yet be carefull, it does not seem the expression is re-evaluated every time the txt_weekend_daystoken is modified.
I hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that does solve the question. you are correct that the expresion is not re-evaluated each time the token is modified...which isn't good. I'll look into that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @noahdietrich,
I played a bit with your question, and I could not have it work either, using the 'in' function.
I somehow found a workaround, and it looks like this :
First, I modified the multiselect.
<input type="multiselect" token="txt_weekend_days">
<label>Weekend Days</label>
<choice value="Saturday">Saurday</choice>
<choice value="Sunday">Sunday</choice>
<choice value="Monday">Monday</choice>
<choice value="Tuesday">Tuesday</choice>
<choice value="Wednesday">Wednesday</choice>
<choice value="Thursday">Thursday</choice>
<choice value="Friday">Friday</choice>
<initialValue>Saturday,Sunday</initialValue>
<delimiter>,</delimiter>
<prefix>"</prefix>
<suffix>"</suffix>
</input>
This is in order to get a string as txt_weekend_days token
Then, as the in function does not seem to work witthin the expression of the colorPalette, I modified the condition too :
<format type="color" field="day">
<colorPalette type="expression">if(isnotnull(mvfind(split($txt_weekend_days$,","),value)),"#FF0000", "#00FF00")</colorPalette>
</format>
It does the trick, as far I can see.
Yet be carefull, it does not seem the expression is re-evaluated every time the txt_weekend_daystoken is modified.
I hope this helps!
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
