Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Splunk Visualization Help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a simple dashboard to track active site using a query like the one below. The query works and returns values but my supervisor has asked me now to add background color to the values in the dashboard. The query below basically checks to see if a service is running on a set of servers. If the service is running on server A it returns Town Name 1, if it is running on server B it returns Town Name 2. If neither is found it returns "Down". I have tried using Single Value visualization and Status Indicator Visualization but both require a numeric value to use the OTB color formatting.
How can i get the background color to change based off the text values Town1, Town2, and Down?
index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down")) | dedup Site | table Site
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what i ended up doing. Using the Single Value visualization.
index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down"))
| eval range=if(Site=="Town1", "high", if(Site=="Town2","guarded","severe"))
| dedup Site
Then editing the xml as follows:
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorMode">block</option>
<option name="field">Site</option>
<option name="charting.fieldColors"></option>
</single> </panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what i ended up doing. Using the Single Value visualization.
index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down"))
| eval range=if(Site=="Town1", "high", if(Site=="Town2","guarded","severe"))
| dedup Site
Then editing the xml as follows:
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorMode">block</option>
<option name="field">Site</option>
<option name="charting.fieldColors"></option>
</single> </panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rich...The problem with the table visualization is the size of the text. The single value and Status Indicator Visualizations have a aesthetic we are looking for. The dashboards are posted on tv screens and are meant to be read from a distance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you use the Table visualization you can set colors based on text values. Edit the dashboard and click the pencil icon in the column to be colored. Turn on colors and select "values". Click the "Define rules" button and fill in the value and associated color. Add more rules as necessary.
If this reply helps you, Karma would be appreciated.
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
Data Persistence in the OpenTelemetry Collector
Thanks for the Memories! Splunk University, .conf25, and our Community
