Splunk Search

Can i assign a color to a string in a field if it is present in the field ?

varun99
Path Finder

My requirement is to highlight the "Error" string in red colour if it is present in the extracted field "Status".
Note: I am using stats command.

0 Karma
1 Solution

varun99
Path Finder

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
    </format>

View solution in original post

niketn
Legend

Refer to one of my previous answers on similar lines. Changes can be made to Javascript to apply color/background color to complete text

https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html
Please see if it fits the need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

varun99
Path Finder

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
    </format>

nsaveljevas
Explorer

It was worked to me! Thanks a lot! 😄

0 Karma

markhill1
Path Finder

Is it possible to add in more values? Ive tried a few combinations of syntax and havent got it working yet.
Thanks.
Worked it out:

      <colorPalette type="expression">if (like(value,"%host%") OR like(value,"%feed%"),"#D93F3C","#FFFFFF")</colorPalette>
    </format>

askkawalkar
Path Finder

It can be achieve using case also - I have used case, Thanks to @varun99 for providing concept.

<format type="color" field="status">
          <colorPalette type="expression">case(like(value,"ok"),"#53A051",like(value,"warn"),"#F8BE34", !like(value,"ok"),"#DC4E41")</colorPalette>
        </format>
0 Karma

niketn
Legend

Yes seems like case works in Splunk 8.x. Not sure which version onward it started working.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Refer to comment by @TonyLeeVT where multiple nested if can be used to set more than two color values using colorPalette type as expression https://answers.splunk.com/answers/26522/if-statment-or-nested-if.html#comment-677995

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

493669
Super Champion

great! 🙂

0 Karma

493669
Super Champion

You can do this by adding this format:

<format type="color" field="Status">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
 </format>

try this run anywhere search:

<dashboard>
  <label>error</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="log_level">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

varun99
Path Finder

Already tried this, but it's not working. Please note that the Status field contains a big string like :
"Request received. Sent to Provider. Error. Received response from Provider."
"Error" is just a part of the string.

0 Karma

varun99
Path Finder

Worked with the below:

if (like(value,"%Error%"),"#FF5733","#247bc1")

Thanks anyways 🙂

0 Karma

493669
Super Champion
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...