Dashboards & Visualizations

How to refer to a column value ?

zacksoft
Contributor

My query generates a table with two columns .
| index = somethnig
| table car price

car           price
yegalo     2999
printek    3444
altox         5433
ylome    3222

etc..

I want to color the column price as red or green depending on the car name.
If the car name is yegalo or ylome then the respective rows i.e. 2999 or 3222 should be red , others should be green.

I am trying the following in the simpleXML

<format type="color" field="price">
          <colorPalette type="expression">if(like(value,"%y"), "#00F000", "#F00000")</colorPalette>
        </format>

How ever the underlined if condition is checking the condition in "price" column instead of "car" column. 
I tried    if(like($result.car,"%y"),    But it won't work.

Labels (1)
0 Karma
1 Solution

niketn
Legend

@zacksoft you can refer to the following answer with two approach Simple XML and JS

https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-highlight-a-table-cell-based-on...

Simple XML approach in the above answer shows the field to decide color as part of value field as well. However, you can adapt the following answer so that it applies color based on other cell without showing the dependent value using Simple XML without JS: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-change-font-color-based-on-a-condit...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try changing 

field="price"

to 

field="car"
---
If this reply helps you, Karma would be appreciated.
0 Karma

zacksoft
Contributor

@richgalloway  If I change field="price" to field="car" , then it is changing the colour of the "car" field , not the "price" field. What I am looking is to change the colour of "price" depending on the values present in "car".

0 Karma

niketn
Legend

@zacksoft you can refer to the following answer with two approach Simple XML and JS

https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-highlight-a-table-cell-based-on...

Simple XML approach in the above answer shows the field to decide color as part of value field as well. However, you can adapt the following answer so that it applies color based on other cell without showing the dependent value using Simple XML without JS: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-change-font-color-based-on-a-condit...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

zacksoft
Contributor

Thanks @niketn .
I have to use the simpleXML way, However I am a bit confused with the solution and I could use some help in understanding.
The solution is becoming something like this

<format type="color" field="price">
          <colorPalette type="map">{"2999":#D93F3C,"4999":#6DB7C6}</colorPalette>
        </format>

then again it is looking at the "price" field for determining the colour of "price" cell. It ain't checking the field "car" . Based on field "car" it is supposed to change the "price" colour.

Sorry If I misunderstood the simpleXML solution.

0 Karma

niketn
Legend

The complete Simple XML approach in the second answer link (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-change-font-color-based-on-a-condit...) is to :

  1. Use an eval and suffix label value along with a delimiter to all other fields in the same row.
  2. Then use split() eval function to split the values into multivalue field.
  3. Then use Simple XML CSS to hide the split value from the label field.
  4. Finally apply expression based on label field value that is present in the second field but hidden through CSS. You can try to run the example code and open the search in a new window to see how SPL for above steps are working.

If not you will have to use JS but approach for data will remain the same in SPL. PS the row in the example is colored based on label field log_level.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...