Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Format table field with a space in the column name

helge
Builder
‎02-15-2017 01:51 PM

I would like to use the Simple XML format rule to specify the formatting of table columns as documented here, e.g.:

<format type="number" field="count">
  <option name="precision">3</option>
  <option name="unit">MB</option>
</format>

How do I specify a field name with a space in it? Does that even work?

My table would be defined as follows:

SOME_SPL | table "fieldname with spaces"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎02-15-2017 02:32 PM

Yes. field name with space you can use in the format. Sample is below, 

<dashboard>

  <row>
    <panel>

      <table>

        <search>
          <query>index=_internal | head 100 | bin span=1d _time | stats count by _time sourcetype |rename sourcetype as "Source Type"</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>

        <format type="color" field="Source Type">
          <colorPalette type="map">{"splunkd":#6DB7C6,"splunk-access":#F7BC38,"s":#AFEEEE}</colorPalette>
        </format>
        <format type="color" field="count">
          <colorPalette type="minMidMax" maxColor="#31A35F" midColor="#A2CC3E" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax" maxType="percentile" maxValue="100" midType="percentile" midValue="50" minType="percentile" minValue="0"></scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
V

View solution in original post

Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎12-03-2019 11:27 PM

Hi @helge ,

I have a field called "TOTAL_TIME" which is in the format of "HH:MM:SS" and I am trying to apply the color format to it. But the color is not getting applied.

Could you please help me in getting the code to apply the color for the time format.

Thankyou.

0 Karma
Reply
Solved! Jump to solution

GDude
New Member
‎01-24-2018 02:38 AM

Hy, is there a way to color fields of a table by an other field? I have created a field with colors und want to apply this to the Numbers of an other field. Thanks in advance. George
alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

GDude
New Member
‎01-24-2018 05:54 AM

Sorry, I missed that you were only discussing fields with spaces. I'll place a new question.

0 Karma
Reply
Solved! Jump to solution

helge
Builder
‎01-24-2018 05:47 AM

You should post this as a new question. Mixing topics is a no-no.

0 Karma
Reply
Solved! Jump to solution
Solution

vasanthmss
Motivator
‎02-15-2017 02:32 PM

Yes. field name with space you can use in the format. Sample is below, 

<dashboard>

  <row>
    <panel>

      <table>

        <search>
          <query>index=_internal | head 100 | bin span=1d _time | stats count by _time sourcetype |rename sourcetype as "Source Type"</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>

        <format type="color" field="Source Type">
          <colorPalette type="map">{"splunkd":#6DB7C6,"splunk-access":#F7BC38,"s":#AFEEEE}</colorPalette>
        </format>
        <format type="color" field="count">
          <colorPalette type="minMidMax" maxColor="#31A35F" midColor="#A2CC3E" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax" maxType="percentile" maxValue="100" midType="percentile" midValue="50" minType="percentile" minValue="0"></scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
V
Reply
Solved! Jump to solution

helge
Builder
‎02-15-2017 02:45 PM

Not adding additional quotes in some way is the one thing I did not try 😉

Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎02-15-2017 02:43 PM

It's great to include working code in your answer. It might have been easier for the poster to understand your answer if you'd also told him what field name to look for in your HTML - which is "Source Type" in this instance.

Or just told him -

 <format type="number" field="fieldname with spaces">
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...