Splunk Search

Can i assign a color to a string in a field if it is present in the field ?

Path Finder

My requirement is to highlight the "Error" string in red colour if it is present in the extracted field "Status".
Note: I am using stats command.

0 Karma
1 Solution

Path Finder

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>

View solution in original post


Refer to one of my previous answers on similar lines. Changes can be made to Javascript to apply color/background color to complete text

Please see if it fits the need.

| makeresults | eval message= "Happy Splunking!!!"

Path Finder

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>


It was worked to me! Thanks a lot! 😄

0 Karma

Path Finder

Is it possible to add in more values? Ive tried a few combinations of syntax and havent got it working yet.
Worked it out:

      <colorPalette type="expression">if (like(value,"%host%") OR like(value,"%feed%"),"#D93F3C","#FFFFFF")</colorPalette>

Path Finder

It can be achieve using case also - I have used case, Thanks to @varun99 for providing concept.

<format type="color" field="status">
          <colorPalette type="expression">case(like(value,"ok"),"#53A051",like(value,"warn"),"#F8BE34", !like(value,"ok"),"#DC4E41")</colorPalette>
0 Karma


Yes seems like case works in Splunk 8.x. Not sure which version onward it started working.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


Refer to comment by @TonyLeeVT where multiple nested if can be used to set more than two color values using colorPalette type as expression https://answers.splunk.com/answers/26522/if-statment-or-nested-if.html#comment-677995

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Super Champion

great! 🙂

0 Karma

Super Champion

You can do this by adding this format:

<format type="color" field="Status">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>

try this run anywhere search:

          <query>index=_internal | stats count by log_level</query>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="log_level">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
0 Karma

Path Finder

Already tried this, but it's not working. Please note that the Status field contains a big string like :
"Request received. Sent to Provider. Error. Received response from Provider."
"Error" is just a part of the string.

0 Karma

Path Finder

Worked with the below:

if (like(value,"%Error%"),"#FF5733","#247bc1")

Thanks anyways 🙂

0 Karma

Super Champion
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...