Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to color code cells by creating a condition

Mrig342
Contributor
‎10-19-2023 09:40 AM

Hi All,

I have got logs like below:

 

 

 

</tr>
<tr>
<td ><b><font color=blue>Asia</font></b></td>
<td >Samsung_AA</td>
<td ><b><font color=green>Singapore</font></b></td>
<td ><b><font color="green">UP</font></b></td>
<td >1100</td>
<td >311-1000</td>
<td >311-1000</td>
<td >0-200000</td>
<td >3172-3</td>
<td >55663</td>
<td >NC</td>
<td >3.983-20000</td>
<td >11112-20000</td>
<td >6521-10000</td>

 

 

 

I used below query to get the below table:

 

 

 

... | rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>(?P<Region>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>(?P<VPN_Name>[^\<]+)\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>(?P<Country>[^\<]+)\<\/\w+\>\<\/b\>\<\/td\>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\"\w+\"\>(?P<VPN_Status>[^\<]+)\<\/\w+\>\<\/b\>\<\/td>"
| rex field=_raw "\<tr\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>[^\<]+\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\w+\>[^\<]+\<\/\w+\>\<\/b\>\<\/td\>\s+\<td\s\>\<b\>\<\w+\s\w+\=\"\w+\"\>[^\<]+\<\/\w+\>\<\/b\>\<\/td>\s+\<td\s\>(?P<Spooled>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Conn_Max>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Conn_SMF_Max>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Conn_Rest_Max>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Queue_Topic>[^\<]+)\<\/td\>\s+\<td\s\>(?P<SMF_SSL>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Rest_SSL>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Spool_Usage_Max>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Ingress_Usage_Max>[^\<]+)\<\/td\>\s+\<td\s\>(?P<Egress_Usage_Max>[^\<]+)\<\/td\>"
| eval Time_Stamp=strftime(_time, "%b %d, %Y %I:%M:%S %p")
| replace "UAT2-L2" with "NGC" in Region | replace "UAT2-L1" with "GC" in Region | search Region="Asia" | search VPN_Status="UP"
| table Time_Stamp,VPN_Name,Spooled,Conn_Max,Conn_SMF_Max,Conn_Rest_Max,Queue_Topic,Spool_Usage_Max,Ingress_Usage_Max,Egress_Usage_Max
| dedup VPN_Name

 

 

 

Time_Stamp VPN_Name Spooled Conn_Max Conn_SMF_Max Conn_Rest_Max Queue_Topic Spool_Usage_Max Ingress_Usage_Max Egress_Usage_Max

Oct 16, 2023 03:51:08 AMSamsung_AB01-5001-5000-2000003-20.000-50000-100000-10000
Oct 16, 2023 03:51:08 AMSamsung_AA1100311-1000311-10000-2000003172-33.983-2000011112-200006521-10000

In this table, I want to color-code the cells of the columns (Conn_Max, Conn_SMF_Max, Conn_Rest_Max, Spool_Usage_Max, Ingress_Usage_max & Egress_Usage_Max), where if first part of the field-value is greater than or equal to 50% & 80% of the second part. For e.g. if Conn_Max is 6500-10000 then it should be in yellow and if it is 8500-10000 then it should be in red  color.

Please help me to modify the query or source code so that I can get the required cells color coded as per my requirements.

Your kind inputs are highly appreciated. Thank You..!!

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-23-2023 08:26 AM

The only way you can make colour coding on cells like that is to use the format expression, but the expression you would need does not appear to work, i.e.

<format type="color" field="Conn_Max">
  <colorPalette type="expression">case(tonumber(mvindex(split(value,"-"), 0)) &gt; (tonumber(mvindex(split(value,"-"), 1)) * .8), "#FF0000", tonumber(mvindex(split(value,"-"), 0)) &gt; (tonumber(mvindex(split(value,"-"), 1)) * .5), "#FFFFCC", 1==1, "#00FF00")</colorPalette>
</format>

What this attempts to do is to split the numbers and calculate the values, but it does not work - I believe there is a bug when using multivalue eval expressions.

Otherwise, I don't believe it's possible to do it this way, you would have to do it differently

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...