Solved: Re: How do you change the background color of a ti...

DEAD_BEEF · ‎12-30-2018

I have a simple timechart that looks at the _internal index for various hosts and makes a simple timechart span by hour. I trellis this by host so I get say 8 medium sized timecharts that show log counts over the last 3 days. Sometimes, some of these hosts go down and the value obviously goes to zero.

How do I make the background panel for that host colored red when any of the values is zero? In other words, I want to capture the attention of my users when any of the hosts have a time when there are no logs. If this isn't possible, I'd be open to other suggestions that would get a users attention. I already have alerts set up as well, but this dashboard is also important, and I want to make it easier to capture the user's attention.

| tstats count where index=_internal host=myhost00* by host_time prestats=t span=1h
| timechart span=1h count by host

Final working SPL. Since I have multiple hosts, I just broke them down into individual searches and removed the <panel> tags to make them look like one big panel.

<dashboard>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <chart>
        <search id="pre">
          <query>| tstats count where index=_internal host=system1 BY host _time prestats=t span=1h
                 | timechart span=1h count AS mycount
          </query>
          <earliest>-48h@h</earliest>
          <latest>@h</latest>
        </search>
        <option name="charting.backgroundColor">$myColorToken$</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">preview</option>
      </chart>
    </panel>
  </row>
  <search base="pre">
    <query>| stats min(mycount) AS mincount</query>
    <done>
      <eval token="myColorToken">if($result.mincount$&lt;=0,"red","white")</eval>
    </done>
  </search>
</dashboard>

DalJeanis · ‎12-31-2018

With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done> set a background color based on that.

Updated with more details as per request...

In your SPL, you will do something like this

<search id="whatever">
    <query>
     ... your search stuff...
     | timechart span=1h count as mycount
    </query>
</search>

Elsewhere, you will have another search that uses that one as its base

<search base="whatever">
    <query>
    | stats min(mycount) as mincount
    </query>
     <done>
      <eval token="myColorToken">if($result.minfoo$&lt;=0,"red","green")</eval>
    </done>
</search>

In your chart, you are going to have a line like this...

<option name="charting.backgroundColor">$myColorToken$</option>

The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set> command with your color values and seeing that the backgroundColor option is working, and so on.

Unfortunately, trellis is a bit of a blunt instrument at the moment. I can see a way to do this with singles, but not timecharts.

Paging @niketnilay...

View solution in original post

DalJeanis · ‎12-31-2018

With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done> set a background color based on that.

Updated with more details as per request...

In your SPL, you will do something like this

<search id="whatever">
    <query>
     ... your search stuff...
     | timechart span=1h count as mycount
    </query>
</search>

Elsewhere, you will have another search that uses that one as its base

<search base="whatever">
    <query>
    | stats min(mycount) as mincount
    </query>
     <done>
      <eval token="myColorToken">if($result.minfoo$&lt;=0,"red","green")</eval>
    </done>
</search>

In your chart, you are going to have a line like this...

<option name="charting.backgroundColor">$myColorToken$</option>

The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set> command with your color values and seeing that the backgroundColor option is working, and so on.

Unfortunately, trellis is a bit of a blunt instrument at the moment. I can see a way to do this with singles, but not timecharts.

Paging @niketnilay...

DEAD_BEEF · ‎12-31-2018

Thank you @DalJeanis! Just needed to encode the "<" but otherwise it worked perfectly. First time for me using these tags, learning new SPL everyday.

DalJeanis · ‎12-31-2018

Ah, yes. updated < to <.

niketn · ‎01-02-2019

😄 I will keep quiet if this works straight-forward with several charts powered by individual queries. <condition match="$job.resultCount$==0"> (i.e. to capture Search returned no results) can also be used with <done> and <progress> Search Event Handlers to achieve same results to set background color of the chart!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DalJeanis · ‎01-02-2019

Yes, but I couldn't type that one as aircode, and didn't want to take the time to google the exact capitalization...

DEAD_BEEF · ‎12-31-2018

Hi @DalJeanis I think I can break up the SPL query into individual searches to avoid using trellis. Can you give me an example of how to do it with a "normal chart"? Then I can try implementing it via <done> as you mentioned?

How do you change the background color of a timechart if there is a value of zero ?

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?

How do you change the background color of a timechart if there is a value of zero ?

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition