Dashboards & Visualizations

Single Value color change based on diff

Builder

Hi!

I have a dashboard created that evaluates the number of emails that should be sent and then the ACTUAL number of emails that were sent for a particular location.

This section of the dashboard produces 2 numbers, TotalEmailsToSend and TotalEmailsSent.

Each one of these values is put into a single value box on my dashboard.

Now the fun part. Both numbers need to match. If they do not, the non matching number should turn red while the other is green. If both numbers match, I would like them to both be green.

The TotalEmailsSent is the number that will differ if there was a problem. That number needs to turn red if it does not match the TotalEmailsToSend. Here is the code from my dashboard:

<html>
  <h1><b>ASIA - Last 24 Hours</b></h1>
  <a href="https://lists.afilias.info/lurker/search/20121201.000000.00000000@ml:asia cc-notify,sb:balance,sb:notification.en.html">Check ASIA stats on Lurker</a><br />
  </html>
<single>
      <searchName>balance_email_to_send_asia</searchName>
      <fields>TotalEmailsToSend</fields>
      <option name="beforeLabel">Total Emails To Send</option>
      <option name="linkView">flashtimeline</option>
      <option name="linkSearch">sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" Registrar="*" | eval Registrar=lower(Registrar)
</option>
    </single>
<single>
      <searchName>balance_email_sent_asia</searchName>
      <fields>TotalEmailsSent</fields>
      <option name="beforeLabel">Total Emails Sent</option>
      <option name="linkView">flashtimeline</option>
      <option name="linkSearch">sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" Registrar="*" | eval Registrar=lower(Registrar)
</option>
    </single>

From reading about how to do a color change, it looks like they want a "range" to work off of in regards to the color change. In this case, I have no idea what the values would be, just that they both need to match and if they don't, the non matching one should be red.

Also I see that in the examples most people were putting their search in the code for the dashboard where I am using SearchName.

After explaining all of this, is what I am trying to do even possible?

Tags (1)
1 Solution

Builder

gnovak,

In order to achieve this both saved searches are going to need to be aware of each other. It would help if we had the syntax for these two searches, but I should be able to speak generally enough.

## Append "to send" and "sent" searches and compare "to_send_count" to "sent_count"
## If counts equate, set range == low, else set range == severe.
<balance_email_to_send_asia> | stats count as to_send_count | append[<balance_email_sent_asia> | stats count as sent_count] | eval range=if(to_send_count==sent_count,low,severe)

You could use the above search to drive both SingleValue reports, one report displays "to_send_count" and the other "sent_count". The trick is that we get both counts in a single search so they can be compared and the value of "range" set appropriately.

View solution in original post

0 Karma

Builder

For some reason it won't let me comment my answer so I had to put it here as an "answer"

Balance_email_sent_asia

sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" BalanceEmail sent | rex field=_raw "\[BalanceEmail\](?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsSent="*" | chart sum(TotalEmailsSent)

Balance_email_to_send_asia

sourcetype="cron_BalanceEmail" source="*asia*" starthoursago="24" BalanceEmail sent | rex field=_raw "\[BalanceEmail\](?<TotalEmailsSent>[\d]+) of (?<TotalEmailsToSend>[\d]+) of email notification sent\." | search TotalEmailsToSend="*" | chart sum(TotalEmailsToSend)
0 Karma

Builder

gnovak, looking @ your searches the approach I outlined above is correct.

0 Karma

Builder

gnovak,

In order to achieve this both saved searches are going to need to be aware of each other. It would help if we had the syntax for these two searches, but I should be able to speak generally enough.

## Append "to send" and "sent" searches and compare "to_send_count" to "sent_count"
## If counts equate, set range == low, else set range == severe.
<balance_email_to_send_asia> | stats count as to_send_count | append[<balance_email_sent_asia> | stats count as sent_count] | eval range=if(to_send_count==sent_count,low,severe)

You could use the above search to drive both SingleValue reports, one report displays "to_send_count" and the other "sent_count". The trick is that we get both counts in a single search so they can be compared and the value of "range" set appropriately.

View solution in original post

0 Karma

Builder

this did eventually work...thanks

0 Karma

Builder

I'm wondering can you do something like:

field=TotalEmailsSent red=TotalEmailsSent < TotalEmailsToSend default=green

or something like that....I could try it and see what happens perhaps....

0 Karma

Builder

I was also referencing this link as well to get ideas...

http://splunk-base.splunk.com/answers/24210/single-value-module-question

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!