Hello,
I have a multiselect list of the days of the week, and I want my search results table to be highlighted if those days are part of the event (there will be results shown that don't match the days of the week selected). I can't figure out how to highlight the cells in the results table that match the options selected in the multiselect. A simple example of what I thought would work but nothing gets highlighted:
<form>
<label>After Hours Logons</label>
<fieldset submitButton="true">
<input type="multiselect" token="txt_weekend_days">
<label>Weekend Days</label>
<choice value="Saturday">Saurday</choice>
<choice value="Sunday">Sunday</choice>
<choice value="Monday">Monday</choice>
<choice value="Tuesday">Tuesday</choice>
<choice value="Wednesday">Wednesday</choice>
<choice value="Thursday">Thursday</choice>
<choice value="Friday">Friday</choice>
<initialValue>Saturday,Sunday</initialValue>
<valuePrefix>"</valuePrefix>
<delimiter>, </delimiter>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<title>Logons</title>
<table>
<search>
<query>index=wineventlog sourcetype="WinEventLog:Security" source="WinEventLog:Security" EventCode=4624
| eval day = strftime(_time,"%A")
| table _time day host User</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="day">
<colorPalette type="expression">if (value IN ($txt_weekend_days$),"#FF0000", "#00FF00")</colorPalette>
</format>
</table>
</panel>
</row>
</form>
So the issue is related to the line:
<colorPalette type="expression">if (value IN ($txt_weekend_days$),"#FF0000", "#00FF00")</colorPalette>
I tried a number of ways to format this but had no luck. does anyone know if this is possible? I know that the token txt_weekend_days expands to "Saturday", "Sunday" without issue, which should work with the IN statement, but it seems like the type of expression that the colorPalette accepts is limited.
I am running Splunk enterprise 7.2.6.
Thank you
Noah
... View more