Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change a single panel color based on text result with unit format ?

jip31
Motivator
‎07-26-2020 10:06 PM

Hi

In the search below, I would be able to change the background color following the value of the FreeSpace field

It works if I delete the format of the field

 

 

 

| eval FreeSpace=FreeSpace." GB"

 

 

 

but I need to keep it in the search

How to do this please? Is anybody can help?

 

 

 

 

    [| inputlookup host.csv 
    | table host] `diskspace` 
| fields FreeSpaceKB host 
| eval host=upper(host) 
| eval FreeSpace = FreeSpaceKB/1024 
| eval FreeSpace = round(FreeSpace/1024,1) 
| search host=$tok_filterhost$ 
| stats latest(FreeSpace) as FreeSpace by host 
| eval FreeSpace=FreeSpace." GB" 
| table FreeSpace 
| appendpipe 
    [| stats count 
    | eval FreeSpace="No event for this host" 
    | where count = 0 
    | table FreeSpace ]

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-07-2020 10:29 PM

@jip31 ,

Try this run anywhere example and see it fits your use case

<form>
  <label>Single Value</label>
  <fieldset submitButton="false">
    <input type="radio" token="data" searchWhenChanged="true">
      <label>Data</label>
      <choice value="1">With Data</choice>
      <choice value="0">Without Data</choice>
      <initialValue>1</initialValue>
      <default>1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <done>
            <condition match="'result.dummy' ==&quot;false&quot;">
              <set token="unit">GB</set>
            </condition>
            <condition>
              <set token="unit"></set>
            </condition>
          </done>
          <query>|makeresults |eval host="host1",FreeSpace=25|eval dummy="false"|where 1=$data$
                  |appendpipe 
                      [| stats count 
                      | eval FreeSpace="No event for this host" 
                      | where count = 0 
                      | eval dummy="true"
                      | table FreeSpace,dummy ]
          </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0xf1813f","0xf8be34","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unit">$unit$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</form>

 

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-07-2020 10:29 PM

@jip31 ,

Try this run anywhere example and see it fits your use case

<form>
  <label>Single Value</label>
  <fieldset submitButton="false">
    <input type="radio" token="data" searchWhenChanged="true">
      <label>Data</label>
      <choice value="1">With Data</choice>
      <choice value="0">Without Data</choice>
      <initialValue>1</initialValue>
      <default>1</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <done>
            <condition match="'result.dummy' ==&quot;false&quot;">
              <set token="unit">GB</set>
            </condition>
            <condition>
              <set token="unit"></set>
            </condition>
          </done>
          <query>|makeresults |eval host="host1",FreeSpace=25|eval dummy="false"|where 1=$data$
                  |appendpipe 
                      [| stats count 
                      | eval FreeSpace="No event for this host" 
                      | where count = 0 
                      | eval dummy="true"
                      | table FreeSpace,dummy ]
          </query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0xdc4e41","0xf1813f","0xf8be34","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unit">$unit$</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</form>

 

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎08-09-2020 10:28 PM

yes thanks!

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:06 PM

Are you using the Single Value visualization for your panel?

If so , try removing the eval where you append the GB suffix.

Set the color range in the viz format settings, and add the GB as a suffix in the viz format settings.

 

[| inputlookup host.csv
| table host] `diskspace`
| fields FreeSpaceKB host
| eval host=upper(host)
| eval FreeSpace = FreeSpaceKB/1024
| eval FreeSpace = round(FreeSpace/1024,1)
| search host=$tok_filterhost$
| stats latest(FreeSpace) as FreeSpace by host
| table FreeSpace
| appendpipe
[| stats count
| eval FreeSpace="No event for this host"
| where count = 0
| table FreeSpace ]

 

Annotation (1).pngAnnotation (2).png

 

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2020 11:08 PM

yes I use it

but i dont want to add the GB suffix because if I am doing that I have an issue in the appendpipe command results : 

"No event for this host GB" is displayed instead "No event for this host" 

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:23 PM

Ah ok, I see what you mean 🙂
Try this - can't really test myself, but it should work.

 

[| inputlookup host.csv
| table host] `diskspace`
| eval host=upper(host)
| eval FreeSpace = round(FreeSpaceKB/1024/1024,1)." GB"
| append [
   | makeresults
   | eval _time = 0  
   | eval host="$tok_filterhost$" 
  | eval FreeSpace = "No event for this host" 
  ]
| search host=$tok_filterhost$
| stats latest(FreeSpace) as FreeSpace by host
| table FreeSpace



0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2020 11:30 PM

No sorry same problem

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:50 PM

 

OK, 3rd time lucky

 

[| inputlookup host.csv
| table host] `diskspace`
| eval host=upper(host)
| eval FreeSpace = round(FreeSpaceKB/1024/1024,1)
| rangemap field=FreeSpace low=0-30 elevated=31-99 high= 100-200 default=severe
| eval FreeSpace = FreeSpace." GB"
| append [
   | makeresults
   | eval _time = 0  
   | eval host="$tok_filterhost$" 
   | range="guarded"
  | eval NoSpace = "No event for this host" 
  ]
| search host=$tok_filterhost$
| stats latest(FreeSpace) as FreeSpace latest(range) AS range



make sure you turn off use colors in the Viz format , adjust your color levels accordingly in the rangemap.
low is green, elevated is yellow, severe is red, guarded will be blue.

 

Annotation (3).png

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-27-2020 12:10 AM

unfortunately no

"Error in rangemap command : invalid range"

0 Karma
Reply
Solved! Jump to solution

kmugglet
Communicator
‎07-26-2020 11:26 PM

Oh wait , that doesn't actually solve your initial problem does it..........

Gimme 5 mins

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...