Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Dashboard query on showing alternate colour based ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I'm facing a challenge in getting the dashboard requirement done. This is reading from the log, the log pattern is like this:
2018/06/14 06:50:51 VCS NOTICE V-16-1-10447 Group virtual_abc is online on system SERVER_A
When this string is found (the latest string), it is confirmed that virtual_abc is running in SERVER_A.
The requirement is to have the dashboard with SERVER_A and SERVER_B in it. If the virtual_abc running on SERVER_A - it is green for SERVER_A. If the virtual_abc is running on SERVER_B - it is red for SERVER_B (virtual_abc should always running in server_A).
I've the below query correctly extracted the string I want, but have no idea how to make it like requirement above.
index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats latest(online)
May I ask for your help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @krusovice,
Depends on your chosen visualization you could set the color based on value.
For table - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/TableFormatsFormatting#Format_table_columns
For Single value - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/SingleValueFormatting#Color_by_value
If you need to convert string to a numeric value for single value visualiasation, you could use index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats latest(online) as server|eval result=if(server=="SERVER_A",1,0)|fields result
Let's know in case you need further assistance
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @krusovice,
Depends on your chosen visualization you could set the color based on value.
For table - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/TableFormatsFormatting#Format_table_columns
For Single value - https://docs.splunk.com/Documentation/Splunk/7.1.1/Viz/SingleValueFormatting#Color_by_value
If you need to convert string to a numeric value for single value visualiasation, you could use index=* | rex field=_raw "Group virtual_abc is online on system (?<online>[\w+]+)" | stats latest(online) as server|eval result=if(server=="SERVER_A",1,0)|fields result
Let's know in case you need further assistance
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @renjith.nair, got the tips in how to achieve it and will work on it.
Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
