My requirement is to highlight the "Error" string in red colour if it is present in the extracted field "Status".
Note: I am using stats command.
Worked with the below:
<format type="color" field="Status">
<colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
</format>
Refer to one of my previous answers on similar lines. Changes can be made to Javascript to apply color/background color to complete text
https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html
Please see if it fits the need.
Worked with the below:
<format type="color" field="Status">
<colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
</format>
It was worked to me! Thanks a lot! 😄
Is it possible to add in more values? Ive tried a few combinations of syntax and havent got it working yet.
Thanks.
Worked it out:
<colorPalette type="expression">if (like(value,"%host%") OR like(value,"%feed%"),"#D93F3C","#FFFFFF")</colorPalette>
</format>
It can be achieve using case also - I have used case, Thanks to @varun99 for providing concept.
<format type="color" field="status">
<colorPalette type="expression">case(like(value,"ok"),"#53A051",like(value,"warn"),"#F8BE34", !like(value,"ok"),"#DC4E41")</colorPalette>
</format>
Yes seems like case
works in Splunk 8.x
. Not sure which version onward it started working.
Refer to comment by @TonyLeeVT where multiple nested if
can be used to set more than two color values using colorPalette
type as expression
https://answers.splunk.com/answers/26522/if-statment-or-nested-if.html#comment-677995
great! 🙂
You can do this by adding this format:
<format type="color" field="Status">
<colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
</format>
try this run anywhere search:
<dashboard>
<label>error</label>
<row>
<panel>
<table>
<search>
<query>index=_internal | stats count by log_level</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="log_level">
<colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
</format>
</table>
</panel>
</row>
</dashboard>
Already tried this, but it's not working. Please note that the Status field contains a big string like :
"Request received. Sent to Provider. Error. Received response from Provider."
"Error" is just a part of the string.
Worked with the below:
Thanks anyways 🙂
its possible with the help of js
have a look at https://answers.splunk.com/answers/42994/advanced-xml-highlight-certain-values-in-a-table-not-numeri...