Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare a column with multiple columns in Splunk and highlight the cell not matching with red?

vrmandadi
Builder
‎11-18-2022 08:27 AM

I am trying to compare a static column(Baseline) with multiple columns(hosts) and if there is a difference I need to highlight that cell in red


Component   BASELINE HOSTA HOSTB HOSTC
GPU 20 20 5 7
GPU1 5 7 7 5
FW 2.4.2  2.4.2  2.4.2  2.4.3
IP 1.1.1.1 1.1.1.2 1.1.1.1 1.1.1.1
ID [234 , 336] [234 , 336] [134 , 336] [234 , 336]

 

 

 

 

<form theme="dark">
  <label>Preos Firmware Summary - Liquid Cooled</label>
  
  <fieldset submitButton="false">
    <input type="multiselect" token="tok_host" searchWhenChanged="true">
      <label>Host</label>
      <valueSuffix>,</valueSuffix>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled
| stats count by host 
| dedup host</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <delimiter> </delimiter>
      <choice value="*">All</choice>
    </input>
    <input type="multiselect" token="tok_component" searchWhenChanged="true">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>Component</fieldForLabel>
      <fieldForValue>Component</fieldForValue>
      <search>
        <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled  host IN ($tok_host$)  "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW(\d\s|\s)FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| search Component IN("*") 
| stats latest(output) as output latest(_time) as _time by Component host 
| fields - _time 
| eval from="search" 
| join Component 
    [| inputlookup FW_Tracking_Baseline.csv 
    | search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | rename Baseline as lookup_output 
    | fields lookup_output Component output] 
| stats count(eval(lookup_output==output)) AS case BY host Component output lookup_output 
| replace 1 WITH "match" IN case 
| replace 0 WITH "No match" IN case 
| stats values(Component) as Component by host lookup_output case output 
| stats count by Component 
| dedup Component</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <valueSuffix>"</valueSuffix>
      <delimiter> ,</delimiter>
      <valuePrefix>"</valuePrefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW\d\s*FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| stats latest(output) as output latest(_time) as _time by Component host 
| eval from="search"
| fields - _time 
| chart values(output) by Component host limit=0 
| fillnull value="No Data" | join Component 
    [ | inputlookup FW_Tracking_Baseline.csv 
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | fields Baseline Component output] 
| fields Component Baseline *
| fillnull value="No Data"</query>
          <earliest>-90d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

 

 

 

Thanks in Advance

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-18-2022 02:58 PM

Is this a question only about how to turn a cell red, or is this a question about how to highlight a deviation?

To highlight deviation, you can iterate over HOST*, like this:

 

| foreach HOST*
    [eval <<FIELD>> = if(<<FIELD>> != BASELINE, "!!".<<FIELD>>."!!", <<FIELD>>)]

 

Your sample data give this output

BASELINEComponentHOSTAHOSTBHOSTC
20GPU20!!5!!!!7!!
5GPU1!!7!!!!7!!5
2.4.2FW!! 2.4.2!!!! 2.4.2!!!! 2.4.3!!
1.1.1.1IP!!1.1.1.2!!1.1.1.11.1.1.1
[234 , 336]ID[234 , 336]!![134 , 336]!![234 , 336]

To turn a cell red, you'll have to use custom HTML which will allow some JavaScript magic.

Tags (1)
0 Karma
Reply

vrmandadi
Builder
‎11-18-2022 04:24 PM

@yuanliu Thank you. for your reply.Sorry if my question was not clear.Yes I want to highlight the cell in RED when its different from the baseline value.Can you let me know what changes I need to make on my HTML

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-18-2022 05:13 PM

This is a search forum.  You still need to use Splunk search to markup results as I illustrated.  Hope that is helpful.

The older Convert a dashboard to HTML is no longer supported in 8.1 and above.  Instead of writing custom JavaScript, a better option would be to use Dashboard Studio which has been available since 8.1.  If you have  questions about rendering visualization effects, your better bet is Dashboards & Visualizations. (I'm not sure how much JavaScript customization is allowed in Studio.  I'm sure colorization based on a generic markup as I demonstrated is not supported.)

0 Karma
Reply

vrmandadi
Builder
‎11-21-2022 08:48 AM

@yuanliu  I was able to tweak the XML and was able to get the color the cell.

 <format type="color">
          <colorPalette type="expression">if (like(value,"!!%")"#FFCCCB","#90EE90")</colorPalette>
        </format>
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...