Dashboards & Visualizations

Splunk Visualization Help

dvazquez1980
Explorer

I am trying to create a simple dashboard to track active site using a query like the one below. The query works and returns values but my supervisor has asked me now to add background color to the values in the dashboard. The query below basically checks to see if a service is running on a set of servers. If the service is running on server A it returns Town Name 1, if it is running on server B it returns Town Name 2. If neither is found it returns "Down". I have tried using Single Value visualization and Status Indicator Visualization but both require a numeric value to use the OTB color formatting.

How can i get the background color to change based off the text values Town1, Town2, and Down?

index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down")) | dedup Site | table Site

Labels (1)
Tags (2)
0 Karma
1 Solution

dvazquez1980
Explorer

This is what i ended up doing. Using the Single Value visualization.

index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down"))
| eval range=if(Site=="Town1", "high", if(Site=="Town2","guarded","severe"))
| dedup Site

Then editing the xml as follows:

<earliest>-24h@h</earliest>
         <latest>now</latest>
         <sampleRatio>1</sampleRatio>
       </search>
       <option name="colorMode">block</option>
       <option name="field">Site</option>
       <option name="charting.fieldColors"></option>
     </single>    </panel>

View solution in original post

0 Karma

dvazquez1980
Explorer

This is what i ended up doing. Using the Single Value visualization.

index=windows source=service host=servername* Name=service_name* earliest=-5m State="Running"
| eval Site=if(host="server1", "Town1", if(host="server2","Town2","Down"))
| eval range=if(Site=="Town1", "high", if(Site=="Town2","guarded","severe"))
| dedup Site

Then editing the xml as follows:

<earliest>-24h@h</earliest>
         <latest>now</latest>
         <sampleRatio>1</sampleRatio>
       </search>
       <option name="colorMode">block</option>
       <option name="field">Site</option>
       <option name="charting.fieldColors"></option>
     </single>    </panel>
0 Karma

dvazquez1980
Explorer

Thanks Rich...The problem with the table visualization is the size of the text. The single value and Status Indicator Visualizations have a aesthetic we are looking for. The dashboards are posted on tv screens and are meant to be read from a distance.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you use the Table visualization you can set colors based on text values. Edit the dashboard and click the pencil icon in the column to be colored. Turn on colors and select "values". Click the "Define rules" button and fill in the value and associated color. Add more rules as necessary.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...