It will work, but it is the long way round to do it.

Hi @ITWhisperer  I have received a final change in requirement. Instead of Numbers to be colored , we need the server name to be colored. We are not interested in the count.  Can you assist me how to display only colored server names based on SEVERITY.

<query>| search Host=xyz* Severity=* 
| stats count count(eval(Severity=="CRITICAL")) as _critical count(eval(Severity=="OK")) as _ok count(eval(Severity=="MEDIUM")) as _medium
| eval _colour=case(_critical>0 AND _medium>0,"red",_critical=0 AND _medium>0,"yellow","_critical=0 AND _medium=0,"green",_critical>0 AND _medium=0, "red")

Where is the host name in the results of your search?

Is there only ever one host per single?

Please clarify your requirement

@ITWhisperer This is the final code. There is a base search at top and the panel search query that we have modified together. There will be 20 servers but in the example I am showing only one panel with host = XYZ*. Right now it is displaying correct color but count of total "Severities". I want the same criteria to evaluate the colors but show "server name" instead of "Count"

<dashboard version="1.1" theme="dark">
  <search id="base_search">
    <query>| inputlookup kv_cmdb_as_entity_kpi_lookup WHERE NOT kpi="*~~*" AND host IN (X,Y)
    [
    search index="itsi_grouped_alerts" kpi=* severity=* entity_name=* earliest=-60m@m
| stats latest(_time) as time latest(severity) as severity by entity_name kpi
| eval host=lower(mvindex(split(entity_name, "."), 0))
| table host kpi severity time
]
| eval severity=coalesce(severity, 2),  n=now(), time=coalesce(time, n), time=strftime(time, "%Y-%m-%d %H:%M:%S")
| fields - n  _key _timediff
| sort - severity host kpi
| eval severity=case(severity == 2, "OK", severity == 4, "MEDIUM", severity == 6, "CRITICAL") 
| fields host kpi severity
|  rename host as Host, kpi as KPI, severity as Severity 
</query>
    <earliest>-24h@h</earliest>
    <latest>now</latest>
    <sampleRatio>1</sampleRatio>
  </search>
  <label>Application Dashboard</label>
  <row>
    <panel depends="$alwaysHide$">
      <html>
        <style>
          #single_prd text {
            fill: $single_text_colour$ !important;
          }
        </style>
      </html>
    </panel>
    <panel>
      <title>PRD</title>
      <single id="single_prd">
        <title>Server Name</title>
        <search base="base_search">
         <query>| search Host=xyz* Severity=* 
| stats count count(eval(Severity=="CRITICAL")) as _critical count(eval(Severity=="OK")) as _ok count(eval(Severity=="MEDIUM")) as _medium
| eval _colour=case(_critical>0 AND _medium>0,"red",_critical=0 AND _medium>0,"yellow","_critical=0 AND _medium=0,"green",_critical>0 AND _medium=0, "red")
          <done>
            <set token="single_text_colour">$result._colour$</set>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
	 </row>
</dashboard>

If I have understood your requirement correctly, you want a trellis layout of a single with each sub-panel in the single showing the host name coloured using a different colour dependent on a count associated with that host?

If so, I am not sure there is a way to do this.

@ITWhisperer The requirement is attached. Right now we are displaying count of the Severity (Critical,OK,Medium) of the hosts but requirement is to display servernames.

Requirement

Present condition

As I said, I don't think there is a way to achieve this with a single panel even in trellis mode.

If you have a known set of hosts, you could create a separate panel for each host, and then set the colour based on the severities for each host.

@ITWhisperer  That’s exactly what I want to achieve. I need separate panels for each host, then later I can merge them in 2-3 rows accordingly.

this is exactly the situation right now in my dashboard  but presently I am getting numbers(counts) for each server whereas I just want to display server name. I know it is a small SPL change but I am not able to fix it 😞

As I said, I don't think it is possible with singles, but you might be able to do something with a table

See if you can adapt this code

    <panel depends="$stayhidden$">
      <html>
        <style>
          #hoststatus table tbody{
            display:flex;
            flex-wrap: wrap;
          }
          #hoststatus table tbody tr{
            margin-right:10px;
            margin-bottom:10px;
          }
          #hoststatus table tbody tr td{
            width: 180px;
            height: 40px;
            text-align: center;
          }
          #hoststatus table tbody td div.multivalue-subcell[data-mv-index="1"]{
            display: none;
          }
        </style>
      </html>
    </panel>
    <panel id="hoststatus">
      <table>
        <search>
          <query>| makeresults count=50
| eval host="Host".mvindex(split("ABCDE",""),random()%4)
| eval count=random()%5
| stats sum(count) as count by host
| eval host=mvappend(host,case(count&lt;20,"GREEN",count&lt;30,"ORANGE",true(),"RED"))
| table host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="color">
          <colorPalette type="expression">case (match(value,"RED"), "#ff0000",match(value,"ORANGE"), "#ff8000",match(value,"GREEN"),"#00ff00",true(),"#ffffff")</colorPalette>
        </format>
      </table>
    </panel>

It depends on what your criteria for AMBER is - if I assume it is "MEDIUM" and that if the count for critical is zero but the count for MEDIUM is not zero, then this is AMBER? - you could change the query to this

          <query>| search Host=xyz* Severity=* 
| stats count count(eval(Severity=="CRITICAL")) as _critical count(eval(Severity=="MEDIUM")) as _amber
| eval _colour=if(_critical>0,"red",if(_amber>0,"yellow","green"))</query>

@ITWhisperer 

The requirement is if we have atleast one Severity count as "CRITICAL" change the color to Red. No matter if we have "MEDIUM" or "OK" events.

If "MEDIUM" and "OK" but no "CRITICAL" then AMBER  

if "OK" only then green