Splunk Search

In a table format, how can I color a field if its value is greater than a certain number?

kannu
Communicator

Hello Splunkers,

I have data in the following format:

/dev/mapper/splunkcisvg-auditlv  8.0G  353M  7.7G   5% /var/log/audit

/dev/sda1                        509M  164M  346M  33% /boot

which i am parsing using regex expression in query

index=* sourcetype="disk_load"
|rex "(?^[\w\/-]*)[ ]*(?[\d\w.]*)[ ]*(?[\d\w.]*)[ ]*(?[\d\w.]*)[ ]*(?[\d]*)%[ ]*(?[\w\/]*)"
| stats list(FileSystem), list(Use) ,values(Mounted) by host

The issue i am having is i need to red color the values where ever the "Use" field has value greater than 70 .

I tried table formatting but its not showing any color. I have used range option but its not resulting in any color
alt text

Guys please help

Tags (2)
0 Karma
1 Solution

niketn
Legend

@kannu you are trying to apply Table color on a field with Multiple Values (which may not working without using Simple XML JS and CSS Extensions).

Following is what you should try instead with your query and apply color on Use Field?

<yourCurrentSearch>
| stats count by host FileSystem Use Mounted
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@kannu you are trying to apply Table color on a field with Multiple Values (which may not working without using Simple XML JS and CSS Extensions).

Following is what you should try instead with your query and apply color on Use Field?

<yourCurrentSearch>
| stats count by host FileSystem Use Mounted
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kannu
Communicator

@niketnilay ,

So how can i do it using xml or css , just point me to right direction

niketn
Legend

See one of my recent answers in case your table as multi-values and you want to color them based on range: https://answers.splunk.com/answers/694420/is-it-possible-to-highlight-a-value-within-a-multi-1.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...