Splunk Search

How do you color a specific word in the logs?

jip31
Motivator

hi,

I use the query below in order to extract events that have only "Failed Error code : " in the logs

index="ai-wkst-windows-fr" sourcetype=applog "Failed Error code : " 

But I would also like to color "Failed Error code : " background in red.

Thanks in advance for your help.

rgs

Tags (1)
0 Karma
1 Solution

niketn
Legend

@jip31 if you are using filter "Failed Error Code" and your search is returning raw events which are displayed inside <event> view, you would not need highlight command exclusively.

In order to color background red instead of default yellow, you can try the following CSS override in the dashboard.

     .event .raw-event .a{
        background-color: red;
        border-top: 4px solid red;
        border-bottom: 4px solid red;
        color: white;
      }

Following is a run anywhere example with <event> view with id="my_event".

alt text

Please try out and confirm if this is what is required:

<dashboard>
  <label>Event Viewer</label>
  <row>
    <panel>
      <html>
        <style>
          #my_event.event .raw-event .a{
            background-color: red;
            border-top: 4px solid red;
            border-bottom: 4px solid red;
            color: white;
          }
        </style>
      </html>
      <event id="my_event">
        <search>
          <query>index=_internal sourcetype=splunkd "ERROR" OR "FAIL*"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">5</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">none</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

jip31
Motivator

nobody cant help me please???

0 Karma

niketn
Legend

@jip31 if you are using filter "Failed Error Code" and your search is returning raw events which are displayed inside <event> view, you would not need highlight command exclusively.

In order to color background red instead of default yellow, you can try the following CSS override in the dashboard.

     .event .raw-event .a{
        background-color: red;
        border-top: 4px solid red;
        border-bottom: 4px solid red;
        color: white;
      }

Following is a run anywhere example with <event> view with id="my_event".

alt text

Please try out and confirm if this is what is required:

<dashboard>
  <label>Event Viewer</label>
  <row>
    <panel>
      <html>
        <style>
          #my_event.event .raw-event .a{
            background-color: red;
            border-top: 4px solid red;
            border-bottom: 4px solid red;
            color: white;
          }
        </style>
      </html>
      <event id="my_event">
        <search>
          <query>index=_internal sourcetype=splunkd "ERROR" OR "FAIL*"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">5</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">none</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jip31
Motivator

sorry but id doesnt works
ERROR is well highlighted but not in red

0 Karma

jip31
Motivator

hi
this is my panel code:

<row>
    <panel>
      <title>"app.log" logs - "Failed Error code"</title>
      <table>
        <title>Source :</title>
        <search>
          <query>| loadjob savedsearch="admin:SA_AI_NR_S180_FOAnalyser_Workstation_Monitoring_sh:FO_EventServiceLog_Logs_applog" 
| search host=$tok_filterhost$</query>
          <earliest>$tok_filtertime.earliest$</earliest>
          <latest>$tok_filtertime.latest$</latest>
        </search>
        <option name="count">10</option>
      </table>
    </panel>
  </row>

If i Try to update it with your code I have :

<html>
              <style>
                  .dashboard-header p.description {
                       font-size: 16px;
                       font-weight: bold;
                       font-family: Arial;
                       font-style: italic;
                       color: black;
                       padding-top: 40px;
                   }

                         #my_event.event .raw-event .a{
                 background-color: red;
            border-top: 4px solid red;
             border-bottom: 4px solid red;
             color: white;
           }

               </style>
            </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>"app.log" logs - "Failed Error code"</title>
             <event id="my_event">
        <title>Source :</title>
        <search>
          <query>| loadjob savedsearch="admin:SA_AI_NR_S180_FOAnalyser_Workstation_Monitoring_sh:FO_EventServiceLog_Logs_applog" 
| search host=$tok_filterhost$</query>
          <earliest>$tok_filtertime.earliest$</earliest>
          <latest>$tok_filtertime.latest$</latest>
        </search>
        <option name="count">5</option>
        <option name="list.drilldown">full</option>
        <option name="list.wrap">1</option>
       <option name="maxLines">5</option>
      <option name="raw.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
      <option name="table.drilldown">none</option>
      <option name="table.sortDirection">asc</option>
      <option name="table.wrap">1</option>
     <option name="type">list</option>

    </event>

So I have no error but the query doesn't works!
i have the message "the search did not give any events"

0 Karma

jip31
Motivator

Have you an idea why I got the message i have "the search did not give any events"

0 Karma

dkeck
Influencer

jip31
Motivator

hi thanks but highlight doesnt color the value, exact???

0 Karma

dkeck
Influencer

It will highlight in the event view any word for your current search that you want. Where do you want it to be highlighted?

0 Karma

jip31
Motivator

i want to highlight "Failed Error code : "

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...