Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Visualisation and Color

Cam_G
Explorer
‎10-18-2020 03:00 AM

Hello,

I have started working on Splunk recently and have encountered a problem, I cannot find how to add a color (either green or red) to a cell in a table depending if it is "<" or ">".

Most post which I have read are either too complicated for me or are for numbers. I simply want to highlight the cell with the sign.

I have 3 rows, the first and last are for number and the middle is the sign that i want to highlight.

Is there a way in the Search page to do what i want ?

Here is how I get the correct sign : 

| eval operator_1 = if( Case1 > Case2 ,">", if(isnotnull(Case1) ,"<","") )

Thank you.

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎10-18-2020 03:14 AM 
<dashboard>
  <label>Table with color Based on Status</label>
  <row>
    <panel>
      <title>Compliance check</title>
      <html depends="$alwaysHideHTMLCSSPanel$">
        <style>
          #tableColorFinalRowBasedOnData table tbody td div.multivalue-subcell[data-mv-index="1"]{
            display: none;
          }
        </style>
      </html>
      <table id="tableColorFinalRowBasedOnData">
        <search>
          <query>| makeresults count=10
| eval Case1 = random() % 10, Case2= random() % 10
| eval operator = case( Case1 &gt; Case2 ,"&gt;", Case1 &lt; Case2 ,"&lt;",true(), "=" )
| eval color=case(operator="&gt;","HIGH",operator="&lt;","LOW",true(),NULL)
| foreach Case* operator [ eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)]
| fields - color _time
| table Case1 operator Case2</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="Case1">
          <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"MEDIUM"), "#F8BE34",match(value,"HIGH"),"#53A051")</colorPalette>
        </format>
        <format type="color" field="Case2">
          <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"MEDIUM"), "#F8BE34",match(value,"HIGH"),"#53A051")</colorPalette>
        </format>
        <format type="color" field="operator">
          <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"MEDIUM"), "#F8BE34",match(value,"HIGH"),"#53A051")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>

Row? Not a column?

View solution in original post

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎10-18-2020 03:18 AM

How about my sample dashboard?

0 Karma
Reply
Solved! Jump to solution

Cam_G
Explorer
‎10-18-2020 03:21 AM

I am not too familiar with XML  files that is why I hoped that the solution could be put in the Search area.

As of now I am reading through your reply and trying to understand it.

Thank you for the response. 

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎10-18-2020 03:14 AM 
<dashboard>
  <label>Table with color Based on Status</label>
  <row>
    <panel>
      <title>Compliance check</title>
      <html depends="$alwaysHideHTMLCSSPanel$">
        <style>
          #tableColorFinalRowBasedOnData table tbody td div.multivalue-subcell[data-mv-index="1"]{
            display: none;
          }
        </style>
      </html>
      <table id="tableColorFinalRowBasedOnData">
        <search>
          <query>| makeresults count=10
| eval Case1 = random() % 10, Case2= random() % 10
| eval operator = case( Case1 &gt; Case2 ,"&gt;", Case1 &lt; Case2 ,"&lt;",true(), "=" )
| eval color=case(operator="&gt;","HIGH",operator="&lt;","LOW",true(),NULL)
| foreach Case* operator [ eval &lt;&lt;FIELD&gt;&gt;=mvappend('&lt;&lt;FIELD&gt;&gt;',color)]
| fields - color _time
| table Case1 operator Case2</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="refresh.display">progressbar</option>
        <format type="color" field="Case1">
          <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"MEDIUM"), "#F8BE34",match(value,"HIGH"),"#53A051")</colorPalette>
        </format>
        <format type="color" field="Case2">
          <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"MEDIUM"), "#F8BE34",match(value,"HIGH"),"#53A051")</colorPalette>
        </format>
        <format type="color" field="operator">
          <colorPalette type="expression">case (match(value,"LOW"), "#DC4E41",match(value,"MEDIUM"), "#F8BE34",match(value,"HIGH"),"#53A051")</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>

Row? Not a column?

Reply
Solved! Jump to solution

Cam_G
Explorer
‎10-18-2020 11:40 AM

Thank you,

After much testing, it works fine!

0 Karma
Reply
Solved! Jump to solution

Cam_G
Explorer
‎10-18-2020 03:17 AM

Yes, my bad, I meant column

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...