Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Variable range values with a token?

catdadof3
Explorer
‎12-06-2022 11:45 AM

Hi all,

I have a dashboard that has a single value panel. I am trying to make a dynamic panel that will change with the data. I need to display the result number in the panel, but the coloring needs to be dependent on another number.

Example data:
Total Sandwiches Made
 

NameCheeseHamPBTurkeysummarkertopThTotal
 1110270110710Total21102200
Bill40010020600 21101120
Pam70012080100 21101000
Finn10501010 111080


And the example SPL:

index=food sourcetype=sandwiches
| stats sum(Cheese) as Cheese sum(Ham) as Ham sum(PB) as PB sum(Turkey) as Turkey by Name
| addtotals row=t col=t labelfield="sum"
| eval topTh=case(sum="Total", (Total*.05), 1=1, null())
| sort topTh
| filldown topTh
| eval marker=if(Total>=topTh, 2,1)

Basically, if the marker is 1, I'd like the color of the number to be one color and a different one for 2 while still displaying the 'Total' field.

I have the options as this:

<option name="colorBy">value</option>
<option name="drilldown">all</option>
<option name="field">Total</option>
<option name="rangeColors">["0x53A051","0xeb5654"]</option>
<option name="rangeValues">[$lowerThresh$,$upperThresh$]</option>
<option name="refresh.display">none</option>
<option name="useColors">1</option>

and additional logic above it:


<done>
<condition match="'result.marker'==2">
<set token="lowerThresh">1</set>
<set token="upperThresh">2</set>
</condition>
</done>

Any help would be greatly appreciated.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-06-2022 01:25 PM

Single value panel from that table will only display the first row right?

Anyway, you can base your threshold on the topTh setting with the token rather than the marker, as that is your decision to set marker. 

Here's an example row that will show the 2200 in green and if you uncomment the sort marker, will show the 80 in red. As you can see it uses the topTh value to set the threshold for the token range.

  <row>
    <panel>
      <single>
        <title>Setting result threshold to $threshold$</title>
        <search>
          <done>
            <set token="threshold">$result.topTh$</set>
          </done>
          <query>| makeresults 
| eval _raw="Name,Cheese,Ham,PB,Turkey,sum,marker,topTh,Total
 ,1110,270,110,710,Total,2,110,2200
Bill,400,100,20,600, ,2,110,1120
Pam,700,120,80,100, ,2,110,1000
Finn,10,50,10,10, ,1,110,80"
| multikv forceheader=1
| table Name Cheese Ham PB Turkey sum marker topTh Total
```| sort marker```</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="field">Total</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[$threshold$]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-06-2022 01:25 PM

Single value panel from that table will only display the first row right?

Anyway, you can base your threshold on the topTh setting with the token rather than the marker, as that is your decision to set marker. 

Here's an example row that will show the 2200 in green and if you uncomment the sort marker, will show the 80 in red. As you can see it uses the topTh value to set the threshold for the token range.

  <row>
    <panel>
      <single>
        <title>Setting result threshold to $threshold$</title>
        <search>
          <done>
            <set token="threshold">$result.topTh$</set>
          </done>
          <query>| makeresults 
| eval _raw="Name,Cheese,Ham,PB,Turkey,sum,marker,topTh,Total
 ,1110,270,110,710,Total,2,110,2200
Bill,400,100,20,600, ,2,110,1120
Pam,700,120,80,100, ,2,110,1000
Finn,10,50,10,10, ,1,110,80"
| multikv forceheader=1
| table Name Cheese Ham PB Turkey sum marker topTh Total
```| sort marker```</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="field">Total</option>
        <option name="rangeColors">["0xdc4e41","0x53a051"]</option>
        <option name="rangeValues">[$threshold$]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>

 

Reply
Solved! Jump to solution

catdadof3
Explorer
‎12-07-2022 07:59 AM

This is exactly what I needed! I think my issue was trying to add in 2 tokens instead of 1 in the range values.

Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...