Reference to the variable from the query in XML

Bracha · ‎11-29-2023

Hi, I have a dashboard in Splunk and I have a question

About the query, I have a line of fields and I have a column. and I want to color specific color if a specific field is true. how to do that. the line in the dashboard of a specific column looks like this:

<format type="color" field="nemeOfColumn"> <colorPallete></colorPallete></format>

ITWhisperer · ‎11-29-2023

        <format type="color" field="nemeOfColumn">
          <colorPalette type="expression">case(value=="True", "#00ff00")</colorPalette>
        </format>

Bracha · ‎11-29-2023

but I have 2 fields, and I want to color the first field according to the value of the second field- if true then color it red. the fields are defined as eval in query.

thank you

ITWhisperer · ‎11-29-2023

That is a different question (which has been answered many times before). Essentially, you make you field a multivalue field and hide the second value with CSS, but you can sill use the (hidden) value to select the colour by expression.

Solved: Re: Highlight row if unique values exist within dy... - Splunk Community

Bracha · ‎12-02-2023

It's not exactly the same question.
My question is how do I color a field according to another field
The query looks like this:

<query>

stats count(Code) as count_by_id

count(eval(like(message, %READ-ERROR -> DP is temporarily down%))) as read_error_count

</query>

And I want to color the read_error_count column according to the count_by_id variable
How do I do this in XML?

<option name= "count">13</option>

</colorPallete>

</format>

Thank you @ITWhisperer

ITWhisperer · ‎12-03-2023

Correct, the question is not identical, but the essence of the question is, that is, how to colour cells based on the value in another cell on the same row, in your case you want the read_error_count colour based on the value of the count_by_id. To do this, as I said earlier, and is shown in more detail in the referenced solution, you use mvappend to add a second value to the read_error_coiunt field based on the value of the count_by_id field

| eval read_error_count=if(count_by_id > 10, mvappend(read_error_count,"RED"), read_error_count)

Then use CSS to hide the second multi-value cell and set the palette to change the colour if "RED" is a value

You can use other strings and colours to your requirements.

Bracha · ‎12-03-2023

| stats count(eval(like(message, %READ-ERROR -&gt; DP is temporarily down%))) as read_error_count
|stats count(Code) as count_by_id
|eval color_value = if(read_error_count &gt; count/2 ,0,1)

i want color read_error_count column by color_value result

thanks @ITWhisperer

ITWhisperer · ‎12-03-2023

I am not sure why you are not adapting my previous suggestion - try something like this

| stats count(eval(like(message, "%READ-ERROR -&gt; DP is temporarily down%"))) as read_error_count count(Code) as count_by_id
|eval read_error_count = if(read_error_count &gt; count_by_id/2 ,mvappend(read_error_count,"RED"), read_error_count)

Reference to the variable from the query in XML

deployer

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!