Splunk Search

How to change the cell color of a table if SLA time is missed?

harsush
Path Finder

Hi Team,

Below my search from which i am getting the completion time of job. Below is where i need ur help.

1 - If search won't get completion time is there a way to change the cell color.
2 - Is there a way to compare completion time with SLA time and if it is completion time is more change the color of the cell.

| inputlookup PROD_BOX_CO
| search Job=PROD* 
| rename Job AS JOB 
| join type=left JOB [ 
    search index=ca* sourcetype=uc4 host=uc* U0011502
    | rex "U0011502 Workflow '(?<JOB>[^']+)'" 
    | stats max(_time) AS Completion_Time by JOB 
    | eval Completion_Time = strftime(Completion_Time, "%+") 
]  | table CYCLE CheckPoint JOB SLA Completion_Time | sort Completion_Time

Lookup definition

Name :PROD_BOX_CO

Supported fields :
CYCLE,CheckPoint,Job,SLA
BAT_A,BAT1,PROD.BAT.XYZ,10:30

Lookup file : PROD_BOX_CO.csv

0 Karma

woodcock
Esteemed Legend

Always avoid join if you can (and you almost always can); try this:

index="ca*" sourcetype="uc4" host="uc*" U0011502
| stats max(_time) AS Completion_Time by JOB 
| eval Completion_Time_A = strftime(Completion_Time, "%+")
| eval Completion_Time_Hour = strftime(Completion_Time, "%H%M")
| appendpipe [| inputlookup PROD_BOX_CO
   | search Job="PROD*" 
   | rename Job AS JOB ]
| stats values(*) AS * BY JOB
| rex field=SLA mode=sed "s/://"
| eval diff = SLA - Completion_Time_Hour
| fieldformat SLA = replace(SLA , "(\d{2})$", ":\1")
| fieldformat Completion_Time_Hour= replace(Completion_Time_Hour, "(\d{2})$", ":\1")
| table CYCLE CheckPoint SLA Completion_Time_A Completion_Time_Hour diff
| sort 0 Completion_Time
0 Karma

woodcock
Esteemed Legend

On the stats panel, click on the crayon/marker of the field label/name that is to be compared to the SLA value.
In the dialog that opens, in the Color tab, click on None and select Ranges. You can take it from there.

0 Karma

harsush
Path Finder

I tried but iam not getting i might be wrong.. Can you pls help WoodCook/Team

Supported fields :
CYCLE,CheckPoint,Job,SLA
BAT_A,BAT1,PROD.BAT1.XYZ,10:30
BAT_A,BAT2,PROD.BAT2.XYZ,09:30
BAT_B,BAT1,PROD.BAT1.XYZ,07:30

| inputlookup PROD_BOX_CO
| search Job=PROD*
| rename Job AS JOB
| join type=left JOB [
search index=ca* sourcetype=uc4 host=uc* U0011502
| stats max(_time) AS Completion_Time by JOB
| eval Completion_Time_A = strftime(Completion_Time, "%+")
| eval Completion_Time_Hour = strftime(Completion_Time, "%H:%M")
] | eval diff = SLA-Completion_Time_Hour | table CYCLE CheckPoint SLA Completion_Time_A Completion_Time_Hour diff | sort Completion_Time

1 - How to calculate time Difference ( SLA - Completion_Time_Hour )
2 - If SLA missed need to highlight with RED color ( Completion_Time_Hour > SLA time then highlight with RED )

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...