Splunk Search

How to change the color of specific columns in a table?

Path Finder

What I want to do is add color formatting to multiple columns of a table depending upon the name of the columns.

       <format type="color" field="count">
      <colorPalette type="minMidMax" maxColor="#31A35F" midColor="#A2CC3E" minColor="#FFFFFF"></colorPalette>
      <scale type="minMidMax" maxType="percentile" maxValue="100" midType="percentile" midValue="50" minType="percentile" minValue="0"></scale>

The above code changes only one column, how to extend this formatting to all the columns containing count in the column header?

Edit: I want to know if we could add multiple fields in a single format tag ?

0 Karma

You can use tokens to select the column number based on the value in your select box..

And use the UI suggestion mentioned in @mayurr98 colur..it..

Normally when we change some setting in UI, it will add/change a property to you dashboard xml something like below,

<option name="column.number">0</option>
<option name="column.color">#ffff</option>
<option name="column.color">[0: "#FFF", 2:"#6767"]</option >

You can add an on-change event to your select box and set a token with the value of the column number
Please go through "Conditional operations with form inputs" section here for attaching change event and setting token..

now you can use the taken as belwo

<option name="column.number">$token_name$</option>
<option name="column.color">#ffff</option>
0 Karma

Path Finder

This option name="column.color" is not available in simple XML.

0 Karma

Bro.. I don't have 6.5.X version of splunk installed in my machine.. so don't know the exact option corresponding to the setting mentioned in @ny34940 's answer...

If you have that versin installed please do that settings and use the suggested token.... Or else ther is one straight away solution here.. please use that

0 Karma

Path Finder

Thank you for the reply. I think my question was not clear. Sorry my bad. Please read the below description and suggest any solution.

My query is something like this

[base search]| chart count() as A sum() as B avg() as C by type month

Here the months are the user input so can be changed

I can get a table like this

Type Jan18:A Jan18:B Jan18:C Nov17: A Nov17:B Nov17: C

or maybe like this

Type Feb18:A Feb18:B Feb18:C Jan18:A Jan18:B Jan18:C Dec17: A Dec17:B Dec17: C

Now I want to highlight the columns having this data avg() as C. As you can see the name and number of columns is dynamic and in future data of new months will be added as well. As the columns are changing , I have to edit every time data of new month is added. So I was asking if there is any other efficient way to do that like applying format condition on all the columns ending with a string *:C *?

I tried using this but obviously it didn't work.

format type="color" field=*"C"


0 Karma


hey @ny34940

Why do not you do it on UI itself

If you a 6.5.X splunk version, you can click a brush on the right in every column to color by the value or you can just color entire column of the table
alt text

let me know if this helps!

Path Finder

Actually the columns of the table can be changed(increased or decreased) based on the dropdowns but the column headers always end with same word.

0 Karma


do you want to change the color of column name?

0 Karma

Path Finder

No I want to change the color of the whole column.

Suppose this is my table depending on one input field
Name Nov-AVG Nov-Count Oct-AVG Oct-Count

It could be changed to this as well
Name Oct-AVG Oct-Count Sep-AVG Sep-Count

Now I want to change the color of all the count columns. The table above can be changed depending on the dropdown. The data can be of any other months but for each month we have 2 columns(avg and count) and I want to add color formatting to only the count columns.

0 Karma


It will not change according to deopdown . If you see my entire column is red. Can you close mark near colors . You can exit multiple colors and keep only one color. And you can customize that color by clicking on it. And put the hex cold of the color you want. So for that column there will only be one color. You can adjust the option according to your need. Its not only based on values in the dropdpwn. You can make it a way to color entire column .

0 Karma

Path Finder

I understand what you saying but my requirements are different. What I want to know is if we could add multiple fields in a single format tag?

Something like this
format type="color" field="Nov-Count" or "Oct-Count"

or this
format type="color" field=*"count"

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!