Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display certain background colors for single value visualizations based on search results?

JoshuaJohn
Contributor
‎07-26-2016 02:34 PM

I am trying to make my search have 3 different background colors: Green if healthy, Yellow if warning, Red if critical. Right now all the code displays is the correct information without any colors. I took the query part out cause it was long and irrelevant

index="query"
| eval Level=if(Alert_Type="Critical",2,if(Alert_Type="Warning",1,0)) 
| eval key=Description.ID 
| stats dc(key) AS num max(Level) AS Level 
| eval count=if(Level=1,"Alert Level: Warning - Total Alerts: ".num,if(Level=2,"Alert Level: Critical - Total Alerts: ".num,"Alert Level: Healthy - Total Alerts: 0")) 
| eval Level=if(isnotnull(Level),Level,0) 
| eval myClassField=case(Level=2,"red",Level=1,"yellow",Level=0,"green") 
| table count Level myClassField 
| rename count AS "Health Summary"

Thanks for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-26-2016 02:42 PM

How about this

index="query"
| eval Level=if(Alert_Type="Critical",2,if(Alert_Type="Warning",1,0)) 
| eval key=Description.ID 
| stats dc(key) AS num max(Level) AS Level 
| eval  "Health Summary"=if(Level=1,"Alert Level: Warning - Total Alerts: ".num,if(Level=2,"Alert Level: Critical - Total Alerts: ".num,"Alert Level: Healthy - Total Alerts: 0")) | fillnull Level value=0 | rangemap field=Level severe=2-2 elevated=1-1 default=low
| table "Health Summary" range

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-26-2016 02:42 PM

How about this

index="query"
| eval Level=if(Alert_Type="Critical",2,if(Alert_Type="Warning",1,0)) 
| eval key=Description.ID 
| stats dc(key) AS num max(Level) AS Level 
| eval  "Health Summary"=if(Level=1,"Alert Level: Warning - Total Alerts: ".num,if(Level=2,"Alert Level: Critical - Total Alerts: ".num,"Alert Level: Healthy - Total Alerts: 0")) | fillnull Level value=0 | rangemap field=Level severe=2-2 elevated=1-1 default=low
| table "Health Summary" range
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...