Re: How to compare a column with multiple columns ...

vrmandadi · ‎11-18-2022

I am trying to compare a static column(Baseline) with multiple columns(hosts) and if there is a difference I need to highlight that cell in red

Component	BASELINE	HOSTA	HOSTB	HOSTC
GPU	20	20	5	7
GPU1	5	7	7	5
FW	2.4.2	2.4.2	2.4.2	2.4.3
IP	1.1.1.1	1.1.1.2	1.1.1.1	1.1.1.1
ID	[234 , 336]	[234 , 336]	[134 , 336]	[234 , 336]

<form theme="dark">
  <label>Preos Firmware Summary - Liquid Cooled</label>
  
  <fieldset submitButton="false">
    <input type="multiselect" token="tok_host" searchWhenChanged="true">
      <label>Host</label>
      <valueSuffix>,</valueSuffix>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled
| stats count by host 
| dedup host</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <delimiter> </delimiter>
      <choice value="*">All</choice>
    </input>
    <input type="multiselect" token="tok_component" searchWhenChanged="true">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>Component</fieldForLabel>
      <fieldForValue>Component</fieldForValue>
      <search>
        <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled  host IN ($tok_host$)  "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW(\d\s|\s)FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| search Component IN("*") 
| stats latest(output) as output latest(_time) as _time by Component host 
| fields - _time 
| eval from="search" 
| join Component 
    [| inputlookup FW_Tracking_Baseline.csv 
    | search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | rename Baseline as lookup_output 
    | fields lookup_output Component output] 
| stats count(eval(lookup_output==output)) AS case BY host Component output lookup_output 
| replace 1 WITH "match" IN case 
| replace 0 WITH "No match" IN case 
| stats values(Component) as Component by host lookup_output case output 
| stats count by Component 
| dedup Component</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <valueSuffix>"</valueSuffix>
      <delimiter> ,</delimiter>
      <valuePrefix>"</valuePrefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW\d\s*FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| stats latest(output) as output latest(_time) as _time by Component host 
| eval from="search"
| fields - _time 
| chart values(output) by Component host limit=0 
| fillnull value="No Data" | join Component 
    [ | inputlookup FW_Tracking_Baseline.csv 
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | fields Baseline Component output] 
| fields Component Baseline *
| fillnull value="No Data"</query>
          <earliest>-90d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Thanks in Advance

yuanliu · ‎11-18-2022

Is this a question only about how to turn a cell red, or is this a question about how to highlight a deviation?

To highlight deviation, you can iterate over HOST*, like this:

| foreach HOST*
    [eval <<FIELD>> = if(<<FIELD>> != BASELINE, "!!".<<FIELD>>."!!", <<FIELD>>)]

Your sample data give this output

BASELINE	Component	HOSTA	HOSTB	HOSTC
20	GPU	20	!!5!!	!!7!!
5	GPU1	!!7!!	!!7!!	5
2.4.2	FW	!! 2.4.2!!	!! 2.4.2!!	!! 2.4.3!!
1.1.1.1	IP	!!1.1.1.2!!	1.1.1.1	1.1.1.1
[234 , 336]	ID	[234 , 336]	!![134 , 336]!!	[234 , 336]

To turn a cell red, you'll have to use custom HTML which will allow some JavaScript magic.

vrmandadi · ‎11-18-2022

@yuanliu Thank you. for your reply.Sorry if my question was not clear.Yes I want to highlight the cell in RED when its different from the baseline value.Can you let me know what changes I need to make on my HTML

yuanliu · ‎11-18-2022

This is a search forum. You still need to use Splunk search to markup results as I illustrated. Hope that is helpful.

The older Convert a dashboard to HTML is no longer supported in 8.1 and above. Instead of writing custom JavaScript, a better option would be to use Dashboard Studio which has been available since 8.1. If you have questions about rendering visualization effects, your better bet is Dashboards & Visualizations. (I'm not sure how much JavaScript customization is allowed in Studio. I'm sure colorization based on a generic markup as I demonstrated is not supported.)

vrmandadi · ‎11-21-2022

@yuanliu I was able to tweak the XML and was able to get the color the cell.

 <format type="color">
          <colorPalette type="expression">if (like(value,"!!%")"#FFCCCB","#90EE90")</colorPalette>
        </format>

How to compare a column with multiple columns in Splunk and highlight the cell not matching with red?

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms