Splunk Search

Format table field with a space in the column name

helge
Builder

I would like to use the Simple XML format rule to specify the formatting of table columns as documented here, e.g.:

<format type="number" field="count">
  <option name="precision">3</option>
  <option name="unit">MB</option>
</format>

How do I specify a field name with a space in it? Does that even work?

My table would be defined as follows:

SOME_SPL | table "fieldname with spaces"
0 Karma
1 Solution

vasanthmss
Motivator

Yes. field name with space you can use in the format. Sample is below,

<dashboard>

  <row>
    <panel>

      <table>

        <search>
          <query>index=_internal | head 100 | bin span=1d _time | stats count by _time sourcetype |rename sourcetype as "Source Type"</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>

        <format type="color" field="Source Type">
          <colorPalette type="map">{"splunkd":#6DB7C6,"splunk-access":#F7BC38,"s":#AFEEEE}</colorPalette>
        </format>
        <format type="color" field="count">
          <colorPalette type="minMidMax" maxColor="#31A35F" midColor="#A2CC3E" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax" maxType="percentile" maxValue="100" midType="percentile" midValue="50" minType="percentile" minValue="0"></scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
V

View solution in original post

akarivaratharaj
Communicator

Hi @helge ,

I have a field called "TOTAL_TIME" which is in the format of "HH:MM:SS" and I am trying to apply the color format to it. But the color is not getting applied.

Could you please help me in getting the code to apply the color for the time format.

Thankyou.

0 Karma

GDude
New Member

Hy, is there a way to color fields of a table by an other field? I have created a field with colors und want to apply this to the Numbers of an other field. Thanks in advance. George
alt text

0 Karma

GDude
New Member

Sorry, I missed that you were only discussing fields with spaces. I'll place a new question.

0 Karma

helge
Builder

You should post this as a new question. Mixing topics is a no-no.

0 Karma

vasanthmss
Motivator

Yes. field name with space you can use in the format. Sample is below,

<dashboard>

  <row>
    <panel>

      <table>

        <search>
          <query>index=_internal | head 100 | bin span=1d _time | stats count by _time sourcetype |rename sourcetype as "Source Type"</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="rowNumbers">false</option>
        <option name="wrap">true</option>

        <format type="color" field="Source Type">
          <colorPalette type="map">{"splunkd":#6DB7C6,"splunk-access":#F7BC38,"s":#AFEEEE}</colorPalette>
        </format>
        <format type="color" field="count">
          <colorPalette type="minMidMax" maxColor="#31A35F" midColor="#A2CC3E" minColor="#FFFFFF"></colorPalette>
          <scale type="minMidMax" maxType="percentile" maxValue="100" midType="percentile" midValue="50" minType="percentile" minValue="0"></scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
V

helge
Builder

Not adding additional quotes in some way is the one thing I did not try 😉

DalJeanis
SplunkTrust
SplunkTrust

It's great to include working code in your answer. It might have been easier for the poster to understand your answer if you'd also told him what field name to look for in your HTML - which is "Source Type" in this instance.

Or just told him -

 <format type="number" field="fieldname with spaces">
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...