Solved: Re: Can i assign a color to a string in a field if...

varun99 · ‎02-07-2018

My requirement is to highlight the "Error" string in red colour if it is present in the extracted field "Status".
Note: I am using stats command.

varun99 · ‎02-07-2018

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
    </format>

View solution in original post

niketn · ‎04-14-2018

Refer to one of my previous answers on similar lines. Changes can be made to Javascript to apply color/background color to complete text

https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html
Please see if it fits the need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

varun99 · ‎02-07-2018

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
    </format>

markhill1 · ‎04-14-2018

Is it possible to add in more values? Ive tried a few combinations of syntax and havent got it working yet.
Thanks.
Worked it out:

      <colorPalette type="expression">if (like(value,"%host%") OR like(value,"%feed%"),"#D93F3C","#FFFFFF")</colorPalette>
    </format>

askkawalkar · ‎04-05-2019

It can be achieve using case also - I have used case, Thanks to @varun99 for providing concept.

<format type="color" field="status">
          <colorPalette type="expression">case(like(value,"ok"),"#53A051",like(value,"warn"),"#F8BE34", !like(value,"ok"),"#DC4E41")</colorPalette>
        </format>

niketn · ‎04-25-2020

Yes seems like case works in Splunk 8.x. Not sure which version onward it started working.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎08-04-2018

Refer to comment by @TonyLeeVT where multiple nested if can be used to set more than two color values using colorPalette type as expression https://answers.splunk.com/answers/26522/if-statment-or-nested-if.html#comment-677995

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

493669 · ‎02-07-2018

great! 🙂

493669 · ‎02-07-2018

You can do this by adding this format:

<format type="color" field="Status">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
 </format>

try this run anywhere search:

<dashboard>
  <label>error</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="log_level">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>

varun99 · ‎02-07-2018

Already tried this, but it's not working. Please note that the Status field contains a big string like :
"Request received. Sent to Provider. Error. Received response from Provider."
"Error" is just a part of the string.

varun99 · ‎02-07-2018

Worked with the below:

if (like(value,"%Error%"),"#FF5733","#247bc1")

Thanks anyways 🙂

493669 · ‎02-07-2018

its possible with the help of js
have a look at https://answers.splunk.com/answers/42994/advanced-xml-highlight-certain-values-in-a-table-not-numeri...

Can i assign a color to a string in a field if it is present in the field ?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...