Try something like this <dashboard version="1.1" theme="light"> <label>Font colours</label> <row> <panel depends="$alwayshidden$"> <html> <style> #fontcolours div.multivalue-subcell[data-mv-index="0"] { color: limegreen !important; } #fontcolours div.multivalue-subcell[data-mv-index="1"] { color: orange !important; } #fontcolours div.multivalue-subcell[data-mv-index="2"] { color: red !important; } #fontcolours div.multivalue-subcell[data-mv-index="3"] { color: grey !important; } </style> </html> </panel> <panel> <table id="fontcolours"> <search> <query>| makeresults count=10 | fields - _time | eval A=100-(random()%201/100) | eval B=100-(random()%201/100) | eval C=100-(random()%201/100) | foreach A B C [| eval &lt;&lt;FIELD&gt;&gt;=case(&lt;&lt;FIELD&gt;&gt;&lt;=98.2,mvappend("","","","-"),&lt;&lt;FIELD&gt;&gt;&gt;=99.90,mvappend(&lt;&lt;FIELD&gt;&gt;,"","",""),&lt;&lt;FIELD&gt;&gt;&gt;=99,mvappend("",&lt;&lt;FIELD&gt;&gt;,"",""),true(),mvappend("","",&lt;&lt;FIELD&gt;&gt;,""))]</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard> Basically, you can colour font by selecting different multivalues ... View more

This is basically the same problem you asked about last month (which you said you had solved), however, pursuing the other solutions offered at the time might prove more helpful in this instance? ... View more

The row tokens don't work in palette expressions. You could try something like this:  Essentially, the technique is to create a multi-value field with a tag for the colour you want to be used, then use format/colorPalette to set the colour and some CSS to hide the extra value in the multi-value field See this solution https://community.splunk.com/t5/Splunk-Search/How-to-change-table-cell-background-color-depends-on-s...  ... View more

https://regex101.com/r/cBungW/1 "resource_id": "[^"]*?(?<last_word>\w+)" | makeresults | eval _raw="{\"resource_id\": \"/subscriptions/85bbb6fe-yyyy-xxx-81a6-806aaa0ca/resourceGroups/vg-test/providers/Microsoft.Web/sites/TestAPI\", \"metric_name\": \"FSUsage\", \"timeStamp\": \"2025-12-14T14:48:00Z\", \"subscription_id\": \"85bbb6fe-yyyy-xxx-81a6-806aaa0ca\", \"unit\": \"Bytes\", \"namespace\": \"microsoft.web/sites\", \"resource_group\": \"vg-test\", \"average\": 0}" | append [| makeresults | eval _raw="{\"resource_id\": \"/subscriptions/85bbb6fe-yyyy-xxx-81a6-806aaa0ca/resourceGroups/vg-test/providers/Microsoft.Sql/servers/test-sql-01/databases/Test_Prod\", \"metric_name\": \"allocated_storage\", \"timeStamp\": \"2025-12-14T14:57:00Z\", \"subscription_id\": \"85bbb6fe-yyyy-xxx-81a6-806aaa0ca\", \"unit\": \"Bytes\", \"namespace\": \"microsoft.sql/databases\", \"resource_group\": \"vg-test\", \"average\": 855016}"] | rex "\"resource_id\": \"[^\"]*?(?<last_word>\w+)\"" ... View more

| foreach mode=multivalue stems [| eval expandedvalues = mvappend(expandedvalues,replace(JOB, "\*", <<ITEM>>))] ... View more

Events will be processed reverse chronological order, so unless you resort them, you might want first rather than last | streamstats time_window=24h first(FIELD1) as prev_field_value by FIELD2,FIELD3,FIELD4,FIELD5 ... View more