Dashboards & Visualizations

Single value in advanced xml : color and result

mclane1
Path Finder

I would like to show something like that :

59/45

And color result with result of division :

<row>
    <panel>
      <single>
        <title>My title</title>
        <search>
          <query> index=myIndex earliest=-30m latest=now | eval lastweek="oof"   
| append [search index=myIndex earliest=-30m@-1w latest=-1w | eval lastweek="foo" ]  
| eval useCase=myUseCase | where useCase="filter" 
| stats count(eval(lastweek="oof")) as nbNow, count(eval(lastweek="foo")) as nbLastWeek by useCase  
| eval result=nbNow."/".nbLastWeek | eval percent=nbNow/nbLastWeek 
| rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low 
| fields percent, result
 </query>
          <earliest>-60m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <!--<option name="field">result</option>-->
        <option name="numberPrecision">0.000</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0.4,0.6,0.8,1.1]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">before</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <option name="linkView">search</option>
      </single>
    </panel>
  </row>

I want to see result (in field) and color of value with percent.
I try with the option "field" but if I select result, I see the result without color.

Any ideas ?

Thanks in advance.

0 Karma
1 Solution

niketn
Legend

I see some performance issues with the way you have correlated two timelines
1) If you want to compare last 30 min today vs last 30 minutes 7 days back. you should try the following earliest and latest time selectors:

 now      : earliest=-30m latest=@s 
 last week: earliest=-1d@s-30m latest=-1d@s

2) Through append you are stitching events from two different timelines and then applying a filter on combined result. Since the filed myUseCase="filter" should exist on both the series, you can apply the filter in base search for both. i.e.

   index=myIndex myUseCase="filter" earliest=-30m latest=@s

And

  search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s

3) Since you are interested in Single Value result, it is better to apply transformation before correlating the events i.e. stats should be performed in each base search and the combined results can be correlated using appendcols instead of append

index=myIndex myUseCase="filter" earliest=-30m latest=@s
| stats count as nbNow 
| appendcols 
[search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s
| stats count as nbLastWeek]

4) Finally, all you need to do is replace the percent value used for deciding range colors with the string result to e displayed as single value:

  | eval percent=replace(percent,percent,result)

PS: Splunk does not officially support rangemap for setting color ranges. So once you try to edit Single Value Colors through UI Edit mode, then colors might reset, since underlying color ranges values get overridden in Simple XML configuration. (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...)

Following is a run anywhere dashboard code snippet based on Splunk's _internal index that you can adopt for your use case:

alt text

  <row>
    <panel>
      <single>
        <search>
          <query>index="_internal" sourcetype="splunkd" earliest=-30m latest=@s 
  | stats count as nbNow 
  | appendcols 
  [search index="_internal" sourcetype="splunkd" earliest=-1d@s-30m latest=-1d@s
  | stats count as nbLastWeek]
  | eval result=nbNow."/".nbLastWeek 
  | eval percent=nbNow/nbLastWeek
  | table percent result  
  | rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low 
  | eval percent=replace(percent,percent,result)
          </query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

mclane1
Path Finder

@niketnilay
Thanks a lot for your answer
1 - I modify my query to take your comment on latest/earliest.
2 - I can't do this (myUseCase="filter" in first search part) because I must make an eval to find myUseCase but I understant what you mean. I think about change my query to make all in first part...
3 - I see problem with this version : I must repeat myUseCase 2 times. And I would like to make 16 "single"s in my dashboard. Repeating twice is problematic and tedious.
4 - Ok for replace.... But it doesn't work...
=> Finally it works. I must remove rangeColors and rangeValues for the good result.

<row>
  <panel>
    <single>
      <title>Transactionsss</title>
      <search>
        <query>index=myIndex filter1 earliest=-30m latest=@s              
          | eval useCase=.....
          | where useCase=myUseCase
          | stats count as nbNow             
          | appendcols [search index=myIndex filter1 earliest=-1w@s-30m latest=-1w@s                           
                       | eval useCase=.....
                       | where useCase=myUseCase
                       | stats count as nbLastWeek
                       ]               
          | eval result=nbNow."/".nbLastWeek             
          | eval percent=nbNow/nbLastWeek              
          | table percent result
          | rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low
          | eval percent=replace(percent,percent,result)</query>
      </search>
      <option name="drilldown">none</option>
      <option name="colorBy">value</option>
      <option name="colorMode">none</option>
      <option name="numberPrecision">0.0</option>
      <option name="showSparkline">1</option>
      <option name="showTrendIndicator">1</option>
      <option name="trellis.enabled">0</option>
      <option name="trellis.scales.shared">1</option>
      <option name="trellis.size">medium</option>
      <option name="trendColorInterpretation">standard</option>
      <option name="trendDisplayMode">absolute</option>
      <option name="unitPosition">after</option>
      <option name="useColors">0</option>
      <option name="useThousandSeparators">1</option>
      <option name="linkView">search</option>
    </single>
  </panel>
</row>

Sorry I can't insert img to show you.

niketn
Legend

I see some performance issues with the way you have correlated two timelines
1) If you want to compare last 30 min today vs last 30 minutes 7 days back. you should try the following earliest and latest time selectors:

 now      : earliest=-30m latest=@s 
 last week: earliest=-1d@s-30m latest=-1d@s

2) Through append you are stitching events from two different timelines and then applying a filter on combined result. Since the filed myUseCase="filter" should exist on both the series, you can apply the filter in base search for both. i.e.

   index=myIndex myUseCase="filter" earliest=-30m latest=@s

And

  search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s

3) Since you are interested in Single Value result, it is better to apply transformation before correlating the events i.e. stats should be performed in each base search and the combined results can be correlated using appendcols instead of append

index=myIndex myUseCase="filter" earliest=-30m latest=@s
| stats count as nbNow 
| appendcols 
[search index=myIndex myUseCase="filter" earliest=-1d@s-30m latest=-1d@s
| stats count as nbLastWeek]

4) Finally, all you need to do is replace the percent value used for deciding range colors with the string result to e displayed as single value:

  | eval percent=replace(percent,percent,result)

PS: Splunk does not officially support rangemap for setting color ranges. So once you try to edit Single Value Colors through UI Edit mode, then colors might reset, since underlying color ranges values get overridden in Simple XML configuration. (Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap...)

Following is a run anywhere dashboard code snippet based on Splunk's _internal index that you can adopt for your use case:

alt text

  <row>
    <panel>
      <single>
        <search>
          <query>index="_internal" sourcetype="splunkd" earliest=-30m latest=@s 
  | stats count as nbNow 
  | appendcols 
  [search index="_internal" sourcetype="splunkd" earliest=-1d@s-30m latest=-1d@s
  | stats count as nbLastWeek]
  | eval result=nbNow."/".nbLastWeek 
  | eval percent=nbNow/nbLastWeek
  | table percent result  
  | rangemap field=percent low=1.1-1.5 guarded=0.8-1.1 high=0.6-0.8 elevated=0.4-0.6 severe=0-0.4 default=low 
  | eval percent=replace(percent,percent,result)
          </query>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@mclane1, if the above answer has resolved your issue, please Accept the Answer to mark this question as answered 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mclane1
Path Finder

I must remove rangeColors and rangeValues for the good result.

niketn
Legend

@mclane1, sorry I might have missed from my example! Thanks for correction!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...