How to compare a column with multiple columns in S...

vrmandadi · ‎11-18-2022

I am trying to compare a static column(Baseline) with multiple columns(hosts) and if there is a difference I need to highlight that cell in red

Component	BASELINE	HOSTA	HOSTB	HOSTC
GPU	20	20	5	7
GPU1	5	7	7	5
FW	2.4.2	2.4.2	2.4.2	2.4.3
IP	1.1.1.1	1.1.1.2	1.1.1.1	1.1.1.1
ID	[234 , 336]	[234 , 336]	[134 , 336]	[234 , 336]

<form theme="dark">
  <label>Preos Firmware Summary - Liquid Cooled</label>
  
  <fieldset submitButton="false">
    <input type="multiselect" token="tok_host" searchWhenChanged="true">
      <label>Host</label>
      <valueSuffix>,</valueSuffix>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <search>
        <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled
| stats count by host 
| dedup host</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <default>*</default>
      <delimiter> </delimiter>
      <choice value="*">All</choice>
    </input>
    <input type="multiselect" token="tok_component" searchWhenChanged="true">
      <label>Component</label>
      <choice value="*">All</choice>
      <default>*</default>
      <fieldForLabel>Component</fieldForLabel>
      <fieldForValue>Component</fieldForValue>
      <search>
        <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled  host IN ($tok_host$)  "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW(\d\s|\s)FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| search Component IN("*") 
| stats latest(output) as output latest(_time) as _time by Component host 
| fields - _time 
| eval from="search" 
| join Component 
    [| inputlookup FW_Tracking_Baseline.csv 
    | search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | rename Baseline as lookup_output 
    | fields lookup_output Component output] 
| stats count(eval(lookup_output==output)) AS case BY host Component output lookup_output 
| replace 1 WITH "match" IN case 
| replace 0 WITH "No match" IN case 
| stats values(Component) as Component by host lookup_output case output 
| stats count by Component 
| dedup Component</query>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </search>
      <valueSuffix>"</valueSuffix>
      <delimiter> ,</delimiter>
      <valuePrefix>"</valuePrefix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=preos_inventory sourcetype = preos_inventory Type=Liquid_Cooled host IN ($tok_host$) "IB HCA FW" OR *CPLD* OR BMC OR SBIOS OR *nvme* OR "*GPU* PCISLOT*" OR *NVSW* 
| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;Component&gt;[^\:]+)\:\s*(?&lt;Hardware_Details&gt;.*)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*CPLD\:\s*(?&lt;Hardware&gt;[^.*]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*BMC\:\s*version\:\s*(?&lt;Hardware1&gt;[^\,]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*SBIOS\s*version\:\s*(?&lt;Hardware2&gt;[^ ]+)" 
| rex field=_raw "log-inventory.sh\[\d*\]\:\s*nvme\d*\:.*FW\:\s*(?&lt;Hardware3&gt;[^ ]+)" 
| rex field=_raw "VBIOS\:\s*(?&lt;Hardware4&gt;[^\,]+)" 
| rex field=_raw "NVSW\d\s*FW\:\s*(?&lt;Hardware5&gt;(.*))" 
| rex field=_raw "IB\s*HCA\sFW\:\s*(?&lt;Hardware6&gt;(.*))" 
| eval output = mvappend(Hardware,Hardware1,Hardware2,Hardware3,Hardware4,Hardware5,Hardware6) 
| replace BMC WITH "BMC and AUX" in Component 
| stats latest(output) as output latest(_time) as _time by Component host 
| eval from="search"
| fields - _time 
| chart values(output) by Component host limit=0 
| fillnull value="No Data" | join Component 
    [ | inputlookup FW_Tracking_Baseline.csv 
| search Component!=*ERoT* Component!=PCIeRetimer* Component!="BMC FW ver" 
    | table Component Baseline 
    | eval from="lookup" 
    | fields Baseline Component output] 
| fields Component Baseline *
| fillnull value="No Data"</query>
          <earliest>-90d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">50</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

Thanks in Advance

yuanliu · ‎11-18-2022

Is this a question only about how to turn a cell red, or is this a question about how to highlight a deviation?

To highlight deviation, you can iterate over HOST*, like this:

| foreach HOST*
    [eval <<FIELD>> = if(<<FIELD>> != BASELINE, "!!".<<FIELD>>."!!", <<FIELD>>)]

Your sample data give this output

BASELINE	Component	HOSTA	HOSTB	HOSTC
20	GPU	20	!!5!!	!!7!!
5	GPU1	!!7!!	!!7!!	5
2.4.2	FW	!! 2.4.2!!	!! 2.4.2!!	!! 2.4.3!!
1.1.1.1	IP	!!1.1.1.2!!	1.1.1.1	1.1.1.1
[234 , 336]	ID	[234 , 336]	!![134 , 336]!!	[234 , 336]

To turn a cell red, you'll have to use custom HTML which will allow some JavaScript magic.

vrmandadi · ‎11-18-2022

@yuanliu Thank you. for your reply.Sorry if my question was not clear.Yes I want to highlight the cell in RED when its different from the baseline value.Can you let me know what changes I need to make on my HTML

yuanliu · ‎11-18-2022

This is a search forum. You still need to use Splunk search to markup results as I illustrated. Hope that is helpful.

The older Convert a dashboard to HTML is no longer supported in 8.1 and above. Instead of writing custom JavaScript, a better option would be to use Dashboard Studio which has been available since 8.1. If you have questions about rendering visualization effects, your better bet is Dashboards & Visualizations. (I'm not sure how much JavaScript customization is allowed in Studio. I'm sure colorization based on a generic markup as I demonstrated is not supported.)

vrmandadi · ‎11-21-2022

@yuanliu I was able to tweak the XML and was able to get the color the cell.

 <format type="color">
          <colorPalette type="expression">if (like(value,"!!%")"#FFCCCB","#90EE90")</colorPalette>
        </format>

How to compare a column with multiple columns in Splunk and highlight the cell not matching with red?

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?

Are you a member of the Splunk Community?

How to compare a column with multiple columns in Splunk and highlight the cell not matching with red?

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?