Dashboards & Visualizations

Using color in reports (saved search) table based on content of field.

lakromani
Builder

What I try to do, I can get to work in dashboard, but I would like it to work in reports (savedsearches.conf)

My data looks some like this
My search | rest /services/licenser/slaves | table label

sh-nm-1
pmsl-pfssplki01
nmsplnksysp01
pmsl-pnmsplka01
mmsl-pfssplka01
pmsl-pfssplka01
mmsl-pnmsplka04
fssplnksysp01

My goal is to differentiate system using color on the label column.
From the manual: https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Savedsearchesconf

# Color format options
display.statistics.format.<index>.colorPalette = [expression|list|map|minMidMax|sharedList]
# Color palette options for 'expression'
display.statistics.format.<index>.colorPalette.rule = <string>

Here is what I have tried.

display.statistics.format.0 = color
display.statistics.format.0.colorPalette = expression
display.statistics.format.0.colorPalette.colors = case(like(label,"pmsl%"),"#ffff00",like(label,"mmsl%"),"#ff00ff",1=1,"#00ffff")
display.statistics.format.0.field = label

But no color are showing up. Case rule works fine.
Manual says nothing about how the <string> should look like.

A workaround is to create a new column and color it like this:
| rest /services/licenser/slaves | table label | eval customer=case(like(label,"pmsl%"),"systemA",like(label,"mmsl%"),"systemB",1=1,"old")
Than add color for systemA, systemB and old.

But I would like to get this to work for my original column. Anyone?

0 Karma
1 Solution

niketn
Legend

@lakromani following settings worked fine for me. I had just got rid of percent sign % and used true() for default color.

alt text

display.statistics.format.0=color
display.statistics.format.0.field = label
display.statistics.format.0.colorPalette = expression
display.statistics.format.0.colorPalette.rule = case(like(value,"pmsl"),"#ffff00",like(value,"mmsl"),"#ff00ff",true(),"#00ffff") 

Following two tips:
1) Splunk restart, refresh, bump and internet browser cache cleaning would be required for changes to reflect.
2) You should test your colorPalette expression changes in Dashboard table first to ensure they are working as expected, then apply the expression in Saved Search configuration.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@lakromani following settings worked fine for me. I had just got rid of percent sign % and used true() for default color.

alt text

display.statistics.format.0=color
display.statistics.format.0.field = label
display.statistics.format.0.colorPalette = expression
display.statistics.format.0.colorPalette.rule = case(like(value,"pmsl"),"#ffff00",like(value,"mmsl"),"#ff00ff",true(),"#00ffff") 

Following two tips:
1) Splunk restart, refresh, bump and internet browser cache cleaning would be required for changes to reflect.
2) You should test your colorPalette expression changes in Dashboard table first to ensure they are working as expected, then apply the expression in Saved Search configuration.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lakromani
Builder

It does work, thanks. 1=1 does also work.

But why did you change name to value? I thought I needed the field name as input.

Also it does not seem to like match(), only like()
like(value,"pmsl") OK
match(value,"pmsl") Not OK

Debug/refresh (or restart on free version) is needed to get it to work

Final result

display.statistics.format.1.colorPalette.rule = case(like(value,"_pms") OR like(value,"_PMS"),"#ffff00",like(value,"_mms") OR like(value,"_mms"),"#ff00ff",1=1,"#00ffff")

gcusello
SplunkTrust
SplunkTrust

Hi lakromani,
did you tried to schedule a dashboard?
in this way, you can use all the features of a dashboard (colours, images, etc...) and put them in a static scheduled dashboard that has pdf format and is very similar to a Report.
You have only to pone much attention to formatting, because if you have more panels maybe in the scheduled dashboard aren't aligned like the screen.
But if you have only one panel it's ok.
This is also a way to put a grafic in a report.

Bye.
Giuseppe

0 Karma

lakromani
Builder

I know that I can use dashboard, but Splunk describe in the manual that this should be possible with saved search as well. So its some strange that no one who can help out with this.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...