Splunk Search

How to change the cell color of a table if SLA time is missed?

Path Finder

Hi Team,

Below my search from which i am getting the completion time of job. Below is where i need ur help.

1 - If search won't get completion time is there a way to change the cell color.
2 - Is there a way to compare completion time with SLA time and if it is completion time is more change the color of the cell.

| inputlookup PROD_BOX_CO
| search Job=PROD* 
| rename Job AS JOB 
| join type=left JOB [ 
    search index=ca* sourcetype=uc4 host=uc* U0011502
    | rex "U0011502 Workflow '(?<JOB>[^']+)'" 
    | stats max(_time) AS Completion_Time by JOB 
    | eval Completion_Time = strftime(Completion_Time, "%+") 
]  | table CYCLE CheckPoint JOB SLA Completion_Time | sort Completion_Time

Lookup definition

Name :PROD_BOX_CO

Supported fields :
CYCLE,CheckPoint,Job,SLA
BAT_A,BAT1,PROD.BAT.XYZ,10:30

Lookup file : PROD_BOX_CO.csv

0 Karma

Esteemed Legend

Always avoid join if you can (and you almost always can); try this:

index="ca*" sourcetype="uc4" host="uc*" U0011502
| stats max(_time) AS Completion_Time by JOB 
| eval Completion_Time_A = strftime(Completion_Time, "%+")
| eval Completion_Time_Hour = strftime(Completion_Time, "%H%M")
| appendpipe [| inputlookup PROD_BOX_CO
   | search Job="PROD*" 
   | rename Job AS JOB ]
| stats values(*) AS * BY JOB
| rex field=SLA mode=sed "s/://"
| eval diff = SLA - Completion_Time_Hour
| fieldformat SLA = replace(SLA , "(\d{2})$", ":\1")
| fieldformat Completion_Time_Hour= replace(Completion_Time_Hour, "(\d{2})$", ":\1")
| table CYCLE CheckPoint SLA Completion_Time_A Completion_Time_Hour diff
| sort 0 Completion_Time
0 Karma

Esteemed Legend

On the stats panel, click on the crayon/marker of the field label/name that is to be compared to the SLA value.
In the dialog that opens, in the Color tab, click on None and select Ranges. You can take it from there.

0 Karma

Path Finder

I tried but iam not getting i might be wrong.. Can you pls help WoodCook/Team

Supported fields :
CYCLE,CheckPoint,Job,SLA
BAT_A,BAT1,PROD.BAT1.XYZ,10:30
BAT_A,BAT2,PROD.BAT2.XYZ,09:30
BAT_B,BAT1,PROD.BAT1.XYZ,07:30

| inputlookup PROD_BOX_CO
| search Job=PROD*
| rename Job AS JOB
| join type=left JOB [
search index=ca* sourcetype=uc4 host=uc* U0011502
| stats max(_time) AS Completion_Time by JOB
| eval Completion_Time_A = strftime(Completion_Time, "%+")
| eval Completion_Time_Hour = strftime(Completion_Time, "%H:%M")
] | eval diff = SLA-Completion_Time_Hour | table CYCLE CheckPoint SLA Completion_Time_A Completion_Time_Hour diff | sort Completion_Time

1 - How to calculate time Difference ( SLA - Completion_Time_Hour )
2 - If SLA missed need to highlight with RED color ( Completion_Time_Hour > SLA time then highlight with RED )

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!