Splunk Search

Best way to highlight a table row that has been updated in the last N minutes

gregbujak
Path Finder

Im trying to figure out the best approach to using css(?) to highlight a row that has been updated in the last number of minutes. Specifically this is around order processing. These orders have a lifecycle that they go through until they are complete. I want to highlight the order (row) that has been changed.

Tags (3)
1 Solution

aholzer
Motivator

You'll have to combine CSS with some advanced xml / Sideview Utils and some search manipulation. If you are using Sideview Utils (recommended), you can use the param "rowClass" from the Table module to set a tag that you will use in your CSS.

Let's take this step by step:
1) Your search - You'll need a field that contains a flag to highlight or not depending on when the event occurred compared to the current time. Note you want to use time() rather than now() specially if you are using real-time searches. I've selected 5 minutes as the time frame to highlight the events for, but by changing the 5 below you can select however many minutes you need.

... | eval flash_time_css = if(time() - _time < 60 * 5, "FLASHYES", "FLASHNO")

2) Now that we have the flag, you can use it in your dashboard xml to create a rowClass entry in your Table module. I would also suggest using the hiddenFields parameter from the Table module to avoid displaying this flag. Something like this:

<module name="Table">
  <param name="hiddenFields">flash_time_css</param>
  <param name="rowClass">$row.fields.flash_time_css$</param>
</module>

3) Lastly your CSS. You have now set the "class" for your "tr" tags, and you should define an entry to change the highlight. I've chosen to highlight the appropriate rows with a background of yellow for my example.

tr.FLASHYES td{
background-color:yellow;
}

Important note: If you created the css as part of these steps, you'll need to restart Splunk for it to pick it up. If, however, the css already existed, all you need to do is refresh the dashboard so that it picks it up.

Good luck!

View solution in original post

gregbujak
Path Finder

@aholzer

Awesome. This looks great and it will get me through the current jam. I suspect that there has got to be a better approach with css then using the full class but you get a cookie (but I do have more cookies to give out).

0 Karma

aholzer
Motivator

You'll have to combine CSS with some advanced xml / Sideview Utils and some search manipulation. If you are using Sideview Utils (recommended), you can use the param "rowClass" from the Table module to set a tag that you will use in your CSS.

Let's take this step by step:
1) Your search - You'll need a field that contains a flag to highlight or not depending on when the event occurred compared to the current time. Note you want to use time() rather than now() specially if you are using real-time searches. I've selected 5 minutes as the time frame to highlight the events for, but by changing the 5 below you can select however many minutes you need.

... | eval flash_time_css = if(time() - _time < 60 * 5, "FLASHYES", "FLASHNO")

2) Now that we have the flag, you can use it in your dashboard xml to create a rowClass entry in your Table module. I would also suggest using the hiddenFields parameter from the Table module to avoid displaying this flag. Something like this:

<module name="Table">
  <param name="hiddenFields">flash_time_css</param>
  <param name="rowClass">$row.fields.flash_time_css$</param>
</module>

3) Lastly your CSS. You have now set the "class" for your "tr" tags, and you should define an entry to change the highlight. I've chosen to highlight the appropriate rows with a background of yellow for my example.

tr.FLASHYES td{
background-color:yellow;
}

Important note: If you created the css as part of these steps, you'll need to restart Splunk for it to pick it up. If, however, the css already existed, all you need to do is refresh the dashboard so that it picks it up.

Good luck!

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...