Splunk Search

How do you apply coloring based on a column value string to the complete row?

bharathkumarnec
Contributor

Hi All,

Context X Y Z
ABC 98 97 67
DEF 50 45 23
GHI 3 2 1

So, if Context is ABC, i have to apply color coding for X,Y,Z & if the context is DEF, another color coding need to be applied and so on.....

Also the X,Y&Z are not only three columns. i have "n" number of columns like that and sometimes these are dynamic and not static.

Regards,
BK

0 Karma

niketn
Legend

@bharathkumarnec adding more context to your question would assist us solve your problem.

If ABC, DEF, GHI etc. give the context for color to be applied what is the set of color to be applied for each?
If the number of columns X, Y and Z is not limited then would there be a scenario when you do not have actual color to be applied?
Can the same color from one series be applied to another series?

I would hope your option would be to use Simple XML JS Extension, whose complexity would be based on how you want to apply colors based on context.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

woodcock
Esteemed Legend

Although I cannot actually answer this question (and am not sure that it is possible with vanilla SimpleXML), I will contribute this helper non-answer for you and other potential answerers (that means you, @niketnilay). You can use this code to generate raw data:

| makeresults 
| fields - _time
| eval XYZ="X Y Z"
| makemv XYZ
| mvexpand XYZ
| eval Context=mvrange(1,tonumber(case(XYZ=="X", "98", XYZ=="Y", "97", XYZ=="Z", "67")) + 1)
| mvexpand Context
| eval Context="ABC"
| append [
| makeresults 
| fields - _time
| eval XYZ="X Y Z"
| makemv XYZ
| mvexpand XYZ
| eval Context=mvrange(1,tonumber(case(XYZ=="X", "50", XYZ=="Y", "45", XYZ=="Z", "23")) + 1)
| mvexpand Context
| eval Context="DEF" ]
| append [
| makeresults 
| fields - _time
| eval XYZ="X Y Z"
| makemv XYZ
| mvexpand XYZ
| eval Context=mvrange(1,tonumber(case(XYZ=="X", "3", XYZ=="Y", "2", XYZ=="Z", "1")) + 1)
| mvexpand Context
| eval Context="GHI" ]

Now look here, @bharathkumarnec, this pertains to you. You can build a contingency table out of this raw data with a single command by adding this:

| contingency Context XYZ

Now you clever answerers have a starting point go answer this question!

One of the visualizations that is interesting for contingency tables is a stacked bar graph so please check out how that looks and if that is useful to you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...