Solved: Re: Unable to color text in single value field

Bleepie · ‎12-01-2021

Dear Splunk Community,

I have the following code:

<dashboard>
  <label></label>
  <row>
    <panel>
      <single>
        <search>
          <query>host="DESKTOP-L4ID3T2" 
source="BatchProcessor*" 
inventoryimport* 
"ExitCode: 0" 
| stats count
| eval msg=case(count == 0, "Scan niet succesvol!", count &gt; 0, "Scan succesvol!")
| eval range=case(count == 0, "severe", count &gt; 0, "low")
| table msg</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="field">range</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
</dashboard>

If count returns 0 events, I expect the color of the single value field to be red (severe), otherwise it should be green (low). But using the above code, there is no color at all (besides the default color black and white).

Why is the above not working?

Thanks in advance.

ITWhisperer · ‎12-06-2021

Go back to

| table msg range

and remove this line

        <option name="field">range</option>

View solution in original post

ITWhisperer · ‎12-01-2021

Try adding these options

<option name="colorBy">value</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>

Bleepie · ‎12-02-2021

Unfortunately it doesn't apply:

Code:

<dashboard>
  <label></label>
  <row>
    <panel>
      <single>
        <search>
          <query>host="DESKTOP-L4ID3T2" 
source="BatchProcessor*" 
inventoryimport* 
"ExitCode: 0" 
| stats count
| eval msg=case(count == 0, "Scan niet succesvol!", count &gt; 0, "Scan succesvol!")
| eval range=case(count == 0, "severe", count &gt; 0, "low")
| table msg</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="field">range</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="colorBy">value</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>host="DESKTOP-L4ID3T2" 
source="BatchProcessor*" 
inventoryimport* 
"ExitCode: 0" 
| stats count
| eval msg=case(count == 0, "Scan niet succesvol!", count &gt; 0, "Scan succesvol!")
| eval range=case(count == 0, "severe", count &gt; 0, "low")
| table msg</query>
          <earliest>@d</earliest>
          <latest>now</latest>
        </search>
        <option name="field">range</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="colorBy">value</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
      </single>
    </panel>
  </row>
</dashboard>

Bleepie · ‎12-06-2021

@ITWhisperer Hello Sensei, could you take another look at this 🙏?

ITWhisperer · ‎12-06-2021

You need to include range as an output field (single will only display values from the first field but can use other fields for the colouring)

| table msg range

Bleepie · ‎12-06-2021

This is the result

Bleepie · ‎12-06-2021

I have applied range ( | table msg range) and even though the coloring works, the text is either severe (red) or low (green) where I would expect Scan not succesful (red) / Scan succesful (green). Any thoughts?

ITWhisperer · ‎12-06-2021

Go back to

| table msg range

and remove this line

        <option name="field">range</option>

Bleepie · ‎12-06-2021

Works! Thanks

ITWhisperer · ‎12-06-2021

Single is using the first two fields so put count as the first

| table count msg range

Unable to color text in single value field

panel

single value

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!