Splunk Search

Can i assign a color to a string in a field if it is present in the field ?

varun99
Path Finder

My requirement is to highlight the "Error" string in red colour if it is present in the extracted field "Status".
Note: I am using stats command.

0 Karma
1 Solution

varun99
Path Finder

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
    </format>

View solution in original post

niketn
Legend

Refer to one of my previous answers on similar lines. Changes can be made to Javascript to apply color/background color to complete text

https://answers.splunk.com/answers/636948/how-to-add-css-class-to-table-field-by-input-in-sp.html
Please see if it fits the need.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

varun99
Path Finder

Worked with the below:

    <format type="color" field="Status">
      <colorPalette type="expression">if (like(value,"%Error%"),"#FF5733","#247bc1")</colorPalette>
    </format>

markhill1
Path Finder

Is it possible to add in more values? Ive tried a few combinations of syntax and havent got it working yet.
Thanks.
Worked it out:

      <colorPalette type="expression">if (like(value,"%host%") OR like(value,"%feed%"),"#D93F3C","#FFFFFF")</colorPalette>
    </format>

askkawalkar
Path Finder

It can be achieve using case also - I have used case, Thanks to @varun99 for providing concept.

<format type="color" field="status">
          <colorPalette type="expression">case(like(value,"ok"),"#53A051",like(value,"warn"),"#F8BE34", !like(value,"ok"),"#DC4E41")</colorPalette>
        </format>
0 Karma

niketn
Legend

Yes seems like case works in Splunk 8.x. Not sure which version onward it started working.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Refer to comment by @TonyLeeVT where multiple nested if can be used to set more than two color values using colorPalette type as expression https://answers.splunk.com/answers/26522/if-statment-or-nested-if.html#comment-677995

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

493669
Super Champion

great! 🙂

0 Karma

493669
Super Champion

You can do this by adding this format:

<format type="color" field="Status">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
 </format>

try this run anywhere search:

<dashboard>
  <label>error</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal | stats count by log_level</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="log_level">
          <colorPalette type="map">{"ERROR":#D93F3C}</colorPalette>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
0 Karma

varun99
Path Finder

Already tried this, but it's not working. Please note that the Status field contains a big string like :
"Request received. Sent to Provider. Error. Received response from Provider."
"Error" is just a part of the string.

0 Karma

varun99
Path Finder

Worked with the below:

if (like(value,"%Error%"),"#FF5733","#247bc1")

Thanks anyways 🙂

0 Karma

493669
Super Champion
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...