Splunk Search

Dashboard query on showing alternate colour based on extracted string

krusovice
Path Finder

Hello all,

I'm facing a challenge in getting the dashboard requirement done. This is reading from the log, the log pattern is like this:

2018/06/14 06:50:51 VCS NOTICE V-16-1-10447 Group virtual_abc is online on system SERVER_A

When this string is found (the latest string), it is confirmed that virtual_abc is running in SERVER_A.

The requirement is to have the dashboard with SERVER_A and SERVER_B in it. If the virtual_abc running on SERVER_A - it is green for SERVER_A. If the virtual_abc is running on SERVER_B - it is red for SERVER_B (virtual_abc should always running in server_A).

I've the below query correctly extracted the string I want, but have no idea how to make it like requirement above.

index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats  latest(online)

May I ask for your help?

Tags (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Hi @krusovice,

Depends on your chosen visualization you could set the color based on value.

For table - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/TableFormatsFormatting#Format_table_columns
For Single value - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/SingleValueFormatting#Color_by_value

If you need to convert string to a numeric value for single value visualiasation, you could use index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats latest(online) as server|eval result=if(server=="SERVER_A",1,0)|fields result

Let's know in case you need further assistance

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @krusovice,

Depends on your chosen visualization you could set the color based on value.

For table - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/TableFormatsFormatting#Format_table_columns
For Single value - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/SingleValueFormatting#Color_by_value

If you need to convert string to a numeric value for single value visualiasation, you could use index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats latest(online) as server|eval result=if(server=="SERVER_A",1,0)|fields result

Let's know in case you need further assistance

Happy Splunking!
0 Karma

krusovice
Path Finder

Thanks @renjith.nair, got the tips in how to achieve it and will work on it.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...