×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
darrfang
Explorer
Member since: ‎07-10-2024
‎12-23-2025
Community Statistics
Posts 6
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎07-10-2024
Activity Feed
View All

Re: How to color the column based on the value of ...

by in Dashboards & Visualizations
‎12-23-2025 03:36 PM
‎12-23-2025 03:36 PM
Thank you so much! this also works on my cases,  sorry the system only allows me to accept one solution for now but this solution works perfectly on what I would like to achieve 🙏 ... View more

Re: How to color the column based on the value of ...

by in Dashboards & Visualizations
‎12-23-2025 03:33 PM
‎12-23-2025 03:33 PM
thanks! this is the trick that works for my case! ... View more

How to color the column based on the value of anot...

by in Dashboards & Visualizations
‎12-17-2025 06:41 PM
‎12-17-2025 06:41 PM
Hey Splunk team,  I have a data similar to this: | makeresults | eval data="ABC,10,15;DEF,12,13;GHI,11,14" | makemv delim=";" data | mvexpand data | eval label=mvindex(split(data,","),0) | eval duration1=tonumber(mvindex(split(data,","),1)) | eval duration2=tonumber(mvindex(split(data,","),2)) | eval duration_diff=abs(duration1 - duration2) | table label duration1 duration2 duration_diff     which I wanted to highlight the color in red,  if value of abs(duration1 - duration2) is >2, making the column red. In the example above, column 10, 15 & 11, 14 should be red.   I tried to do something like this but not able to get it work, could you help me how to do that, thank you! <format type="color" field="duration2"> <colorPalette type="expression">if ($row.duration_diff$ &gt; 2 ,"#DC4E41", null())</colorPalette> </format>   ... View more
Labels

Re: extract all the key-value pairs from the json ...

by in Splunk Search
‎02-11-2025 02:44 PM
‎02-11-2025 02:44 PM
Hi @livehybrid this works like magic! thanks a lot for giving  me the insights! Just wondering what's the reason at here that you did mvexpand twice just did some test seems that  if I remove `| mvexpand data_value` I can still get the same results / format ... View more

extract all the key-value pairs from the json data

by in Splunk Search
‎02-11-2025 11:41 AM
‎02-11-2025 11:41 AM
Hi splunk team,  I have a question about how to extract the key-value pair from json data. Let's say for example I have two raw data like this:   # raw data1: { "key1": { "key2": { "key3": [ {"data_value": {"aaa": "12345", "bbb": "23456"}} ] } } } # raw data 2: { "key1": { "key2": { "key3": [ {"data_value": {"ccc": "34567"}} ] } } }     how can I extract the key-value results in all the data_value, to be a table as:   node value aaa 12345 bbb 23456 ccc 34567       I current have a splunk query that could do part of it:   ```some search...``` | spath output=pairs path=key1.key2.key3{}.data_value | rex field=hwids "\"(?<node>[^\"]+)\":\"(?<value>[^\"]+)\"" | table node value pairs   but this only gives me the result of all the first data, result would look like below, that ignore the data of  "bbb":"23456". Please give me some advice on how to grab all the results, thanks!   node value pairs aaa 12345 {"aaa": "12345", "bbb": "23456"} ccc 34567 {"ccc": "34567"}       ... View more
Labels

Grab json value with dynamic key from splunk

by in Splunk Search
‎07-10-2024 05:45 PM
‎07-10-2024 05:45 PM
Hi everyone,   I have a json data payload as below:     { location: US all_results: { serial_a: { result: PASS, version: 123, data:[ data1, data2, data3 ] }, serial_b: { result: PASS, version: 456, data:[ data4, data5 ] }, serial_c: { result: FAIL, version: 789, data:[ data6, data7 ] } } }         and I would like to use splunk query and make a table as: serial_number  result version  data serial_a PASS 123 data1, data2, data3 serial_b PASS 456 data4, data5, serial_c fail 789 data6, data7   how to use splunk query to organize the result? I know I'm able to grab the data by: | spath path=all_results output=all_results | eval all_results=json_extract(all_results) The difficult part is at the serial_number. They have some common prefix serial, but it's dynamic. Therefore , when I try to grab the data inside serial_number, for example version, I'm not able to use query like: | spath  output=version path=all_result.serial*.version Could you give me some idea to do that? thank you! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-23-2025 02:49 PM
Karma given to