hi,
I use the query below in order to extract events that have only "Failed Error code : " in the logs
index="ai-wkst-windows-fr" sourcetype=applog "Failed Error code : "
But I would also like to color "Failed Error code : " background in red.
Thanks in advance for your help.
rgs
@jip31 if you are using filter "Failed Error Code" and your search is returning raw events which are displayed inside <event> view, you would not need highlight command exclusively.
In order to color background red instead of default yellow, you can try the following CSS override in the dashboard.
.event .raw-event .a{
background-color: red;
border-top: 4px solid red;
border-bottom: 4px solid red;
color: white;
}
Following is a run anywhere example with <event> view with id="my_event".
Please try out and confirm if this is what is required:
<dashboard>
<label>Event Viewer</label>
<row>
<panel>
<html>
<style>
#my_event.event .raw-event .a{
background-color: red;
border-top: 4px solid red;
border-bottom: 4px solid red;
color: white;
}
</style>
</html>
<event id="my_event">
<search>
<query>index=_internal sourcetype=splunkd "ERROR" OR "FAIL*"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">none</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</dashboard>
nobody cant help me please???
@jip31 if you are using filter "Failed Error Code" and your search is returning raw events which are displayed inside <event> view, you would not need highlight command exclusively.
In order to color background red instead of default yellow, you can try the following CSS override in the dashboard.
.event .raw-event .a{
background-color: red;
border-top: 4px solid red;
border-bottom: 4px solid red;
color: white;
}
Following is a run anywhere example with <event> view with id="my_event".
Please try out and confirm if this is what is required:
<dashboard>
<label>Event Viewer</label>
<row>
<panel>
<html>
<style>
#my_event.event .raw-event .a{
background-color: red;
border-top: 4px solid red;
border-bottom: 4px solid red;
color: white;
}
</style>
</html>
<event id="my_event">
<search>
<query>index=_internal sourcetype=splunkd "ERROR" OR "FAIL*"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">none</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</dashboard>
sorry but id doesnt works
ERROR is well highlighted but not in red
hi
this is my panel code:
<row>
<panel>
<title>"app.log" logs - "Failed Error code"</title>
<table>
<title>Source :</title>
<search>
<query>| loadjob savedsearch="admin:SA_AI_NR_S180_FOAnalyser_Workstation_Monitoring_sh:FO_EventServiceLog_Logs_applog"
| search host=$tok_filterhost$</query>
<earliest>$tok_filtertime.earliest$</earliest>
<latest>$tok_filtertime.latest$</latest>
</search>
<option name="count">10</option>
</table>
</panel>
</row>
If i Try to update it with your code I have :
<html>
<style>
.dashboard-header p.description {
font-size: 16px;
font-weight: bold;
font-family: Arial;
font-style: italic;
color: black;
padding-top: 40px;
}
#my_event.event .raw-event .a{
background-color: red;
border-top: 4px solid red;
border-bottom: 4px solid red;
color: white;
}
</style>
</html>
</panel>
</row>
<row>
<panel>
<title>"app.log" logs - "Failed Error code"</title>
<event id="my_event">
<title>Source :</title>
<search>
<query>| loadjob savedsearch="admin:SA_AI_NR_S180_FOAnalyser_Workstation_Monitoring_sh:FO_EventServiceLog_Logs_applog"
| search host=$tok_filterhost$</query>
<earliest>$tok_filtertime.earliest$</earliest>
<latest>$tok_filtertime.latest$</latest>
</search>
<option name="count">5</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">none</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
So I have no error but the query doesn't works!
i have the message "the search did not give any events"
Have you an idea why I got the message i have "the search did not give any events"
HI,
did you try highlight?
https://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Highlight
There is also rangemap but this is only for values in a numeric field https://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Rangemap
hi thanks but highlight doesnt color the value, exact???
It will highlight in the event view any word for your current search that you want. Where do you want it to be highlighted?
i want to highlight "Failed Error code : "