Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Variable range values with a token?

catdadof3
Engager
‎12-06-2022 11:45 AM

Hi all,

I have a dashboard that has a single value panel. I am trying to make a dynamic panel that will change with the data. I need to display the result number in the panel, but the coloring needs to be dependent on another number.

Example data:
Total Sandwiches Made
 

NameCheeseHamPBTurkeysummarkertopThTotal
 1110270110710Total21102200
Bill40010020600 21101120
Pam70012080100 21101000
Finn10501010 111080


And the example SPL:

index=food sourcetype=sandwiches
| stats sum(Cheese) as Cheese sum(Ham) as Ham sum(PB) as PB sum(Turkey) as Turkey by Name
| addtotals row=t col=t labelfield="sum"
| eval topTh=case(sum="Total", (Total*.05), 1=1, null())
| sort topTh
| filldown topTh
| eval marker=if(Total>=topTh, 2,1)

Basically, if the marker is 1, I'd like the color of the number to be one color and a different one for 2 while still displaying the 'Total' field.

I have the options as this:

<option name="colorBy">value</option>
<option name="drilldown">all</option>
<option name="field">Total</option>
<option name="rangeColors">["0x53A051","0xeb5654"]</option>
<option name="rangeValues">[$lowerThresh$,$upperThresh$]</option>
<option name="refresh.display">none</option>
<option name="useColors">1</option>

and additional logic above it:


<done>
<condition match="'result.marker'==2">
<set token="lowerThresh">1</set>
<set token="upperThresh">2</set>
</condition>
</done>

Any help would be greatly appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-06-2022 01:25 PM

Single value panel from that table will only display the first row right?

Anyway, you can base your threshold on the topTh setting with the token rather than the marker, as that is your decision to set marker. 

Here's an example row that will show the 2200 in green and if you uncomment the sort marker, will show the 80 in red. As you can see it uses the topTh value to set the threshold for the token range.

  <row>
    <panel>
      <single>
        <title>Setting result threshold to $threshold$</title>
        <search>
          <done>
            <set token="threshold">$result.topTh$</set>
          </done>
          <query>| makeresults 
| eval _raw="Name,Cheese,Ham,PB,Turkey,sum,marker,topTh,Total
 ,1110,270,110,710,Total,2,110,2200
Bill,400,100,20,600, ,2,110,1120
Pam,700,120,80,100, ,2,110,1000
Finn,10,50,10,10, ,1,110,80"
| multikv forceheader=1
| table Name Cheese Ham PB Turkey sum marker topTh Total
```| sort marker```</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="field">Total</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[$threshold$]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-06-2022 01:25 PM

Single value panel from that table will only display the first row right?

Anyway, you can base your threshold on the topTh setting with the token rather than the marker, as that is your decision to set marker. 

Here's an example row that will show the 2200 in green and if you uncomment the sort marker, will show the 80 in red. As you can see it uses the topTh value to set the threshold for the token range.

  <row>
    <panel>
      <single>
        <title>Setting result threshold to $threshold$</title>
        <search>
          <done>
            <set token="threshold">$result.topTh$</set>
          </done>
          <query>| makeresults 
| eval _raw="Name,Cheese,Ham,PB,Turkey,sum,marker,topTh,Total
 ,1110,270,110,710,Total,2,110,2200
Bill,400,100,20,600, ,2,110,1120
Pam,700,120,80,100, ,2,110,1000
Finn,10,50,10,10, ,1,110,80"
| multikv forceheader=1
| table Name Cheese Ham PB Turkey sum marker topTh Total
```| sort marker```</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="field">Total</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[$threshold$]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>

 

Reply
Solved! Jump to solution

catdadof3
Engager
‎12-07-2022 07:59 AM

This is exactly what I needed! I think my issue was trying to add in 2 tokens instead of 1 in the range values.

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...