- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can i assign a color to a string in a field if...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My requirement is to highlight the "Error" string in red colour if it is present in the extracted field "Status".
Note: I am using stats command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked with the below:
<format type="color" field="Status">
<colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
</format>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Refer to one of my previous answers on similar lines. Changes can be made to Javascript to apply color/background color to complete text
https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html
Please see if it fits the need.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked with the below:
<format type="color" field="Status">
<colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
</format>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was worked to me! Thanks a lot! 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to add in more values? Ive tried a few combinations of syntax and havent got it working yet.
Thanks.
Worked it out:
<colorPalette type="expression">if (like(value,"%host%") OR like(value,"%feed%"),"#D93F3C","#FFFFFF")</colorPalette>
</format>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It can be achieve using case also - I have used case, Thanks to @varun99 for providing concept.
<format type="color" field="status">
<colorPalette type="expression">case(like(value,"ok"),"#53A051",like(value,"warn"),"#F8BE34", !like(value,"ok"),"#DC4E41")</colorPalette>
</format>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes seems like case works in Splunk 8.x. Not sure which version onward it started working.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Refer to comment by @TonyLeeVT where multiple nested if can be used to set more than two color values using colorPalette type as expression https://answers.splunk.com/answers/26522/if-statment-or-nested-if.html#comment-677995
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
great! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do this by adding this format:
<format type="color" field="Status">
<colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
</format>
try this run anywhere search:
<dashboard>
<label>error</label>
<row>
<panel>
<table>
<search>
<query>index=_internal | stats count by log_level</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="log_level">
<colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
</format>
</table>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already tried this, but it's not working. Please note that the Status field contains a big string like :
"Request received. Sent to Provider. Error. Received response from Provider."
"Error" is just a part of the string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked with the below:
Thanks anyways 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
its possible with the help of js
have a look at https://answers.splunk.com/answers/42994/advanced-xml-highlight-certain-values-in-a-table-not-numeri...
Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
