Dashboards & Visualizations

How to highlight the cell if its above or below the range?

power12
Communicator

Hello Splunkers,

I have the following query

 

 

index=abc
| search host IN (*) 
| search NOT host IN ( No_exclusions) 
| eval lower =((ref*l)+ref) 
| eval upper = if( u = "null", "10000000", (ref+(ref*u))) 
| stats latest(perf_number) as perf_number  by host Test  upper lower

 

 

 

 If the perf_number is within the range of upper and lower value then it should be green and if its above or below the range it should be RED.

I tried using the below in xml but it only gives me one color

<format type="color" field="perf_number">
          <colorPalette type="expression"> if((perf_number &gt;= lower) AND (perf_number &lt;= upper), "#00FF00", "#FF0000")</colorPalette>

 

Thanks in Advance

Labels (3)
0 Karma
1 Solution

power12
Communicator

I did a workaround and it worked for me

| foreach perf_number 
    [ eval <<FIELD>> = if(<<FIELD>> < lower OR <<FIELD>> >upper , "**".<<FIELD>>."**", <<FIELD>>)]
| chart latest(perf_number) as perf_number by Test host limit=0

And in the xml I added the below

<format type="color">
          <colorPalette type="expression">if (like(value,"**%")"#CD5C5C","#31373e")</colorPalette>

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @power12,

at first, don't use the search command after the main search: your searches are slower!

I'm not sure that's possible to setup the cell colour in dinamic mode, maybe someone else knows this solution, anyway it's surely possible in static mode.

Is it acceptable for you to add a Status field (OK,NOK) and give the colour to it?

if yes, you could use a search like this:

index=abc host IN (*) NOT (host IN (No_exclusions)) 
| eval 
   lower=((ref*l)+ref), 
   upper=if(u="null","10000000",(ref+(ref*u))) 
| stats 
   latest(perf_number) AS perf_number
   values(lower) AS lower
   values(upper) As upper
   BY host Test
| eval Status=if(perf_number>lower AND perf_number<upper,"OK,"NOK")
| table host Test Status perf_number lower upper

then you can setup the Status colour based on the value.

Ciao.

Giuseppe

0 Karma

power12
Communicator

Can we have the Status color match the perf_number ?...

0 Karma

power12
Communicator

I did a workaround and it worked for me

| foreach perf_number 
    [ eval <<FIELD>> = if(<<FIELD>> < lower OR <<FIELD>> >upper , "**".<<FIELD>>."**", <<FIELD>>)]
| chart latest(perf_number) as perf_number by Test host limit=0

And in the xml I added the below

<format type="color">
          <colorPalette type="expression">if (like(value,"**%")"#CD5C5C","#31373e")</colorPalette>
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @power12,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated :winking_face:

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @power12,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated :winking_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...