Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you change the background color of a ti...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
12-30-2018
07:36 PM
I have a simple timechart that looks at the _internal index for various hosts and makes a simple timechart span by hour. I trellis this by host so I get say 8 medium sized timecharts that show log counts over the last 3 days. Sometimes, some of these hosts go down and the value obviously goes to zero.
How do I make the background panel for that host colored red when any of the values is zero? In other words, I want to capture the attention of my users when any of the hosts have a time when there are no logs. If this isn't possible, I'd be open to other suggestions that would get a users attention. I already have alerts set up as well, but this dashboard is also important, and I want to make it easier to capture the user's attention.
| tstats count where index=_internal host=myhost00* by host_time prestats=t span=1h
| timechart span=1h count by host
Final working SPL. Since I have multiple hosts, I just broke them down into individual searches and removed the <panel> tags to make them look like one big panel.
<dashboard>
<label>Test Dashboard</label>
<row>
<panel>
<chart>
<search id="pre">
<query>| tstats count where index=_internal host=system1 BY host _time prestats=t span=1h
| timechart span=1h count AS mycount
</query>
<earliest>-48h@h</earliest>
<latest>@h</latest>
</search>
<option name="charting.backgroundColor">$myColorToken$</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">preview</option>
</chart>
</panel>
</row>
<search base="pre">
<query>| stats min(mycount) AS mincount</query>
<done>
<eval token="myColorToken">if($result.mincount$<=0,"red","white")</eval>
</done>
</search>
</dashboard>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
12-31-2018
10:18 AM
With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done> set a background color based on that.
Updated with more details as per request...
In your SPL, you will do something like this
<search id="whatever">
<query>
... your search stuff...
| timechart span=1h count as mycount
</query>
</search>
Elsewhere, you will have another search that uses that one as its base
<search base="whatever">
<query>
| stats min(mycount) as mincount
</query>
<done>
<eval token="myColorToken">if($result.minfoo$<=0,"red","green")</eval>
</done>
</search>
In your chart, you are going to have a line like this...
<option name="charting.backgroundColor">$myColorToken$</option>
The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set> command with your color values and seeing that the backgroundColor option is working, and so on.
Unfortunately, trellis is a bit of a blunt instrument at the moment. I can see a way to do this with singles, but not timecharts.
Paging @niketnilay...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
12-31-2018
10:18 AM
With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done> set a background color based on that.
Updated with more details as per request...
In your SPL, you will do something like this
<search id="whatever">
<query>
... your search stuff...
| timechart span=1h count as mycount
</query>
</search>
Elsewhere, you will have another search that uses that one as its base
<search base="whatever">
<query>
| stats min(mycount) as mincount
</query>
<done>
<eval token="myColorToken">if($result.minfoo$<=0,"red","green")</eval>
</done>
</search>
In your chart, you are going to have a line like this...
<option name="charting.backgroundColor">$myColorToken$</option>
The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set> command with your color values and seeing that the backgroundColor option is working, and so on.
Unfortunately, trellis is a bit of a blunt instrument at the moment. I can see a way to do this with singles, but not timecharts.
Paging @niketnilay...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
12-31-2018
03:00 PM
Thank you @DalJeanis! Just needed to encode the "<" but otherwise it worked perfectly. First time for me using these tags, learning new SPL everyday.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
12-31-2018
08:24 PM
Ah, yes. updated < to <.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
01-02-2019
08:49 AM
😄 I will keep quiet if this works straight-forward with several charts powered by individual queries. <condition match="$job.resultCount$==0"> (i.e. to capture Search returned no results) can also be used with <done> and <progress> Search Event Handlers to achieve same results to set background color of the chart!
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
01-02-2019
11:00 AM
Yes, but I couldn't type that one as aircode, and didn't want to take the time to google the exact capitalization...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
12-31-2018
11:02 AM
Hi @DalJeanis I think I can break up the SPL query into individual searches to avoid using trellis. Can you give me an example of how to do it with a "normal chart"? Then I can try implementing it via <done> as you mentioned?
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
