Splunk Search

Dashboard query on showing alternate colour based on extracted string

krusovice
Path Finder

Hello all,

I'm facing a challenge in getting the dashboard requirement done. This is reading from the log, the log pattern is like this:

2018/06/14 06:50:51 VCS NOTICE V-16-1-10447 Group virtual_abc is online on system SERVER_A

When this string is found (the latest string), it is confirmed that virtual_abc is running in SERVER_A.

The requirement is to have the dashboard with SERVER_A and SERVER_B in it. If the virtual_abc running on SERVER_A - it is green for SERVER_A. If the virtual_abc is running on SERVER_B - it is red for SERVER_B (virtual_abc should always running in server_A).

I've the below query correctly extracted the string I want, but have no idea how to make it like requirement above.

index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats  latest(online)

May I ask for your help?

Tags (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

Hi @krusovice,

Depends on your chosen visualization you could set the color based on value.

For table - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/TableFormatsFormatting#Format_table_columns
For Single value - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/SingleValueFormatting#Color_by_value

If you need to convert string to a numeric value for single value visualiasation, you could use index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats latest(online) as server|eval result=if(server=="SERVER_A",1,0)|fields result

Let's know in case you need further assistance

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @krusovice,

Depends on your chosen visualization you could set the color based on value.

For table - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/TableFormatsFormatting#Format_table_columns
For Single value - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/SingleValueFormatting#Color_by_value

If you need to convert string to a numeric value for single value visualiasation, you could use index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats latest(online) as server|eval result=if(server=="SERVER_A",1,0)|fields result

Let's know in case you need further assistance

Happy Splunking!
0 Karma

krusovice
Path Finder

Thanks @renjith.nair, got the tips in how to achieve it and will work on it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...