Re: Color a word in a field/Splunk Result

kirti_gupta12 · ‎11-17-2021

I have a Splunk query:

index=my_index cf_app_name=$app_name$ msg!="*Hikari*" $log_type$ | sort -_time | table msg

It populates Splunk with results.

Now, the msg field has log_type as INFO, ERROR, WARNING. Example:

2021-11-17 15:03:34.921  INFO 22 --- [ taskExecutor-1] c.c.p.r.e.EventService            : Event sent to event ID: 2111 - REPRICING has finished

2021-11-16 22:23:54.905 ERROR 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService           : Could not delete file: /-/PCS.P.KSZ4750J.TRIG.FILE - 4: Failure

2021-11-16 22:23:54.905 WARNING 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService           : Could not delete file: /-/PCS.P.KSZ4750J.TRIG.FILE - 4: Failure

Now, My goals is to COLOR the log_type field in the "msg" to Green if it's INFO, Red if it's ERROR, and Yellow if it's WARNING.

I don't want to color the entire msg field, just the words INFO, ERROR and WARNING should be turned to those specific colors.

@scelikok @somesoni2

ITWhisperer · ‎11-17-2021

Assuming you are using the standard table viz, this is not possible; you would need to split the message up into different fields and then just colour the field with the log type in.

Color a word in a field/Splunk Result

fields

regex

stats

subsearch

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?