Solved: Single Value color change based on diff

gnovak · ‎06-06-2011

Hi!

I have a dashboard created that evaluates the number of emails that should be sent and then the ACTUAL number of emails that were sent for a particular location.

This section of the dashboard produces 2 numbers, TotalEmailsToSend and TotalEmailsSent.

Each one of these values is put into a single value box on my dashboard.

Now the fun part. Both numbers need to match. If they do not, the non matching number should turn red while the other is green. If both numbers match, I would like them to both be green.

The TotalEmailsSent is the number that will differ if there was a problem. That number needs to turn red if it does not match the TotalEmailsToSend. Here is the code from my dashboard:

<html>
  <h1><b>ASIA - Last 24 Hours</b></h1>
  <a href="https://lists.afilias.info/lurker/search/20121201.000000.00000000@ml:asia cc-notify,sb:balance,sb:notification.en.html">Check ASIA stats on Lurker</a><br />
  </html>
<single>
      <searchName>balance_email_to_send_asia</searchName>
      <fields>TotalEmailsToSend</fields>
      <option name="beforeLabel">Total Emails To Send</option>
      <option name="linkView">flashtimeline</option>
      <option name="linkSearch">sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" Registrar="*" | eval Registrar=lower(Registrar)
</option>
    </single>
<single>
      <searchName>balance_email_sent_asia</searchName>
      <fields>TotalEmailsSent</fields>
      <option name="beforeLabel">Total Emails Sent</option>
      <option name="linkView">flashtimeline</option>
      <option name="linkSearch">sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" Registrar="*" | eval Registrar=lower(Registrar)
</option>
    </single>

From reading about how to do a color change, it looks like they want a "range" to work off of in regards to the color change. In this case, I have no idea what the values would be, just that they both need to match and if they don't, the non matching one should be red.

Also I see that in the examples most people were putting their search in the code for the dashboard where I am using SearchName.

After explaining all of this, is what I am trying to do even possible?

hazekamp · ‎06-07-2011

gnovak,

In order to achieve this both saved searches are going to need to be aware of each other. It would help if we had the syntax for these two searches, but I should be able to speak generally enough.

## Append "to send" and "sent" searches and compare "to_send_count" to "sent_count"
## If counts equate, set range == low, else set range == severe.
<balance_email_to_send_asia> | stats count as to_send_count | append[<balance_email_sent_asia> | stats count as sent_count] | eval range=if(to_send_count==sent_count,low,severe)

You could use the above search to drive both SingleValue reports, one report displays "to_send_count" and the other "sent_count". The trick is that we get both counts in a single search so they can be compared and the value of "range" set appropriately.

View solution in original post

gnovak · ‎06-07-2011

For some reason it won't let me comment my answer so I had to put it here as an "answer"

Balance_email_sent_asia

sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" BalanceEmail sent | rex field=_raw "\[BalanceEmail\](?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsSent="*" | chart sum(TotalEmailsSent)

Balance_email_to_send_asia

sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" BalanceEmail sent | rex field=_raw "\[BalanceEmail\](?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsToSend="*" | chart sum(TotalEmailsToSend)

hazekamp · ‎06-07-2011

gnovak, looking @ your searches the approach I outlined above is correct.

hazekamp · ‎06-07-2011

gnovak,

In order to achieve this both saved searches are going to need to be aware of each other. It would help if we had the syntax for these two searches, but I should be able to speak generally enough.

## Append "to send" and "sent" searches and compare "to_send_count" to "sent_count"
## If counts equate, set range == low, else set range == severe.
<balance_email_to_send_asia> | stats count as to_send_count | append[<balance_email_sent_asia> | stats count as sent_count] | eval range=if(to_send_count==sent_count,low,severe)

You could use the above search to drive both SingleValue reports, one report displays "to_send_count" and the other "sent_count". The trick is that we get both counts in a single search so they can be compared and the value of "range" set appropriately.

gnovak · ‎04-02-2012

this did eventually work...thanks

gnovak · ‎06-07-2011

I'm wondering can you do something like:

field=TotalEmailsSent red=TotalEmailsSent < TotalEmailsToSend default=green

or something like that....I could try it and see what happens perhaps....

gnovak · ‎06-06-2011

I was also referencing this link as well to get ideas...

http://splunk-base.splunk.com/answers/24210/single-value-module-question

Single Value color change based on diff

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...