Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change a single panel color based on text result with unit format ?

jip31
Motivator
‎07-26-2020 10:06 PM

Hi

In the search below, I would be able to change the background color following the value of the FreeSpace field

It works if I delete the format of the field

 

 

 

| eval FreeSpace=FreeSpace." GB"

 

 

 

but I need to keep it in the search

How to do this please? Is anybody can help?

 

 

 

 

    [| inputlookup host.csv 
    | table host] `diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| eval FreeSpace=FreeSpace." GB" 
| table FreeSpace 
| appendpipe 
    [| stats count 
    | eval FreeSpace="No event for this host" 
    | where count = 0 
    | table FreeSpace ]

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-07-2020 10:29 PM

@jip31 ,

Try this run anywhere example and see it fits your use case

<form>
  <label>Single Value</label>
  <fieldset submitButton="false">
    <input type="radio" token="data" searchWhenChanged="true">
      <label>Data</label>
      <choice value="1">With Data</choice>
      <choice value="0">Without Data</choice>
      <initialValue>1</initialValue>
      <default>1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <done>
            <condition match="'result.dummy' ==&quot;false&quot;">
              <set token="unit">GB</set>
            </condition>
            <condition>
              <set token="unit"></set>
            </condition>
          </done>
          <query>|makeresults |eval host="host1",FreeSpace=25|eval dummy="false"|where 1=$data$
                  |appendpipe 
                      [| stats count 
                      | eval FreeSpace="No event for this host" 
                      | where count = 0 
                      | eval dummy="true"
                      | table FreeSpace,dummy ]
          </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0xf1813f","0xf8be34","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unit">$unit$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</form>

 

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-07-2020 10:29 PM

@jip31 ,

Try this run anywhere example and see it fits your use case

<form>
  <label>Single Value</label>
  <fieldset submitButton="false">
    <input type="radio" token="data" searchWhenChanged="true">
      <label>Data</label>
      <choice value="1">With Data</choice>
      <choice value="0">Without Data</choice>
      <initialValue>1</initialValue>
      <default>1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <done>
            <condition match="'result.dummy' ==&quot;false&quot;">
              <set token="unit">GB</set>
            </condition>
            <condition>
              <set token="unit"></set>
            </condition>
          </done>
          <query>|makeresults |eval host="host1",FreeSpace=25|eval dummy="false"|where 1=$data$
                  |appendpipe 
                      [| stats count 
                      | eval FreeSpace="No event for this host" 
                      | where count = 0 
                      | eval dummy="true"
                      | table FreeSpace,dummy ]
          </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0xf1813f","0xf8be34","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unit">$unit$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</form>

 

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-09-2020 10:28 PM

yes thanks!

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:06 PM

Are you using the Single Value visualization for your panel?

If so , try removing the eval where you append the GB suffix.

Set the color range in the viz format settings, and add the GB as a suffix in the viz format settings.

 

[| inputlookup host.csv
| table host] `diskspace`
| fields FreeSpaceKB host
| eval host=upper(host)
| eval FreeSpace = FreeSpaceKB/1024
| eval FreeSpace = round(FreeSpace/1024,1)
| search host=$tok_filterhost$
| stats latest(FreeSpace) as FreeSpace by host
| table FreeSpace
| appendpipe
[| stats count
| eval FreeSpace="No event for this host"
| where count = 0
| table FreeSpace ]

 

Annotation (1).pngAnnotation (2).png

 

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2020 11:08 PM

yes I use it

but i dont want to add the GB suffix because if I am doing that I have an issue in the appendpipe command results : 

"No event for this host GB" is displayed instead "No event for this host" 

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:23 PM

Ah ok, I see what you mean 🙂
Try this - can't really test myself, but it should work.

 

[| inputlookup host.csv
| table host] `diskspace`
| eval host=upper(host)
| eval FreeSpace = round(FreeSpaceKB/1024/1024,1)." GB"
| append [
   | makeresults
   | eval _time = 0  
   | eval host="$tok_filterhost$" 
  | eval FreeSpace = "No event for this host" 
  ]
| search host=$tok_filterhost$
| stats latest(FreeSpace) as FreeSpace by host
| table FreeSpace



0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2020 11:30 PM

No sorry same problem

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:50 PM

 

OK, 3rd time lucky

 

[| inputlookup host.csv
| table host] `diskspace`
| eval host=upper(host)
| eval FreeSpace = round(FreeSpaceKB/1024/1024,1)
| rangemap field=FreeSpace low=0-30 elevated=31-99 high= 100-200 default=severe
| eval FreeSpace = FreeSpace." GB"
| append [
   | makeresults
   | eval _time = 0  
   | eval host="$tok_filterhost$" 
   | range="guarded"
  | eval NoSpace = "No event for this host" 
  ]
| search host=$tok_filterhost$
| stats latest(FreeSpace) as FreeSpace latest(range) AS range



make sure you turn off use colors in the Viz format , adjust your color levels accordingly in the rangemap.
low is green, elevated is yellow, severe is red, guarded will be blue.

 

Annotation (3).png

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-27-2020 12:10 AM

unfortunately no

"Error in rangemap command : invalid range"

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:26 PM

Oh wait , that doesn't actually solve your initial problem does it..........

Gimme 5 mins

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...