Dashboards & Visualizations

Can you help us change the color on the background of a single value visualization?

jip31
Builder

Hi,

I use a single value in a dashboard which returns GOOD or BAD.

If the value is GOOD, I want to color the background in green and in red if it's BAD
But I don't have this possibility in the single value format.

| eval Status=if(Status="OK", "GOOD", "BAD") 
| table Status

Could you help me please??

0 Karma
1 Solution

niketnilay
Legend

@jip31 since you do not have access for installing custom visualization apps, I would expect you can't use JavaScript static file as well, otherwise one of the options would be to use Simple XML JS extension to color Single Value based on values using JavaScript: https://answers.splunk.com/answers/583539/can-we-set-two-different-colors-for-single-value-a.html

You can also check out Custom Decorations example in the Splunk Dashboard Examples App which also uses Simple XML CSS Extension in <html> panel, where CSS changes can be brought inside Simple XML Dashboard.

Following is a list of 4 other options to Color Single Value, with their advantage/disadvantage. See whichever fits best (hopefully on of CSS overrides ;)):

alt text

Following is the complete Simple XML code:

<dashboard>
  <label>Single Value Color By Rangemap</label>
  <row>
    <panel>
      <title>Option 1: Single Value Color with rangemap (caution while editing as rangemap can get overridden)</title>
      <single>
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
      </single>
      <single>
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
      </single>
      <html>
        <div>
          <a href="https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap_settings_in_existing_single_value_visualizations">Single Value rangemap migration.</a>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2: Deprecated classField option</title>
      <single>
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="classField">severity</option>
        <option name="field">state</option>
      </single>
      <single>
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="classField">severity</option>
        <option name="field">state</option>
      </single>
      <html>
        <div>
          <a href="https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_value">Single Value Simple XML Configuration</a>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 3: Token for Single Value Block color using CSS Override</title>
      <html depends="$alwaysHideCSSStylePanel$">
        <style>
          #singleWithCSSOverride1 svg.svg-container rect{
            fill: $tokColor1$ !important;
          }
          #singleWithCSSOverride2 svg.svg-container rect{
            fill: $tokColor2$ !important;
          }
        </style>
      </html>
      <single id="singleWithCSSOverride1">
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
      <single id="singleWithCSSOverride2">
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor2">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 4: Token for Single Value Text color using CSS Override</title>
      <html depends="$alwaysHideCSSStylePanel$">
        <style>
          #singleWithCSSOverride3 svg.svg-container text.single-result{
            fill: $tokColor1$ !important;
          }
          #singleWithCSSOverride4 svg.svg-container text.single-result{
            fill: $tokColor2$ !important;
          }
        </style>
      </html>
      <single id="singleWithCSSOverride3">
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
      <single id="singleWithCSSOverride4">
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor2">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

paramagurukarth
Builder

Add a new field to the table that represents your desired background color and set that using CSS like below

<dashboard>
  <label>test_back</label>
  <row>
    <panel id="my_pannel">
      <single>
        <search>
          <query>index=*| eval Status=if(Status="OK", "GOOD", "BAD") | eval background=if(Status="OK", "green", "red")  | table Status, background</query>
          <earliest>0</earliest>
          <finalized>
            <set token="background">$result.background$</set>
          </finalized>
          <latest></latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
  <row id="hidden_row">
    <panel>
      <html>
        <style>
          #hidden_row{
            display:none !important;
          }
          #my_pannel .single-value svg.svg-container {
            background:$background$;
          }
        </style>
      </html>
    </panel>
  </row>
</dashboard>
0 Karma

jip31
Builder

hi and thanks

i try to adapt your code but it doesnt works
could you help me please???

<row>
    <panel id="my_pannel">
      <title>Disk Remaining Space Status</title>
      <single>
        <title>Good : &gt; 15% - Bad : &lt; 15%</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size" 
| search host="$tok_filterhost$" 
| fields - host | fields - host | eval background=if(Free_Space="OK", "GOOD", "BAD")| eval background=if(Free_Space="OK", "green", "red")  </query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="colorMode">block</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Disk Health Status</title>
      <single>
        <title>Good : Status = OK - Bad : Status = Not OK</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status" 
| search host="$tok_filterhost$" 
| fields - host | eval background=if(Free_Space="OK", "GOOD", "BAD")| eval background=if(Free_Space="OK", "green", "red")</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
  <row id="hidden_row">
    <panel>
      <html>
        <style>
          #hidden_row{
             display:none !important;
         }
          #my_pannel .single-value svg.svg-container {
              background:$background$;
           }
        </style>
       </html>
0 Karma

paramagurukarth
Builder

You missed the below part

<finalized>
       <set token="background">$result.background$</set>
 </finalized>

This is where the token value is updated

0 Karma

niketnilay
Legend

@jip31 since you do not have access for installing custom visualization apps, I would expect you can't use JavaScript static file as well, otherwise one of the options would be to use Simple XML JS extension to color Single Value based on values using JavaScript: https://answers.splunk.com/answers/583539/can-we-set-two-different-colors-for-single-value-a.html

You can also check out Custom Decorations example in the Splunk Dashboard Examples App which also uses Simple XML CSS Extension in <html> panel, where CSS changes can be brought inside Simple XML Dashboard.

Following is a list of 4 other options to Color Single Value, with their advantage/disadvantage. See whichever fits best (hopefully on of CSS overrides ;)):

alt text

Following is the complete Simple XML code:

<dashboard>
  <label>Single Value Color By Rangemap</label>
  <row>
    <panel>
      <title>Option 1: Single Value Color with rangemap (caution while editing as rangemap can get overridden)</title>
      <single>
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
      </single>
      <single>
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
      </single>
      <html>
        <div>
          <a href="https://docs.splunk.com/Documentation/Splunk/latest/Viz/SingleValueFormatting#Migration_for_rangemap_settings_in_existing_single_value_visualizations">Single Value rangemap migration.</a>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2: Deprecated classField option</title>
      <single>
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="classField">severity</option>
        <option name="field">state</option>
      </single>
      <single>
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1)
| rangemap field=severity low=0-0 default=severe</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
        <option name="classField">severity</option>
        <option name="field">state</option>
      </single>
      <html>
        <div>
          <a href="https://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#single_value">Single Value Simple XML Configuration</a>
        </div>
      </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 3: Token for Single Value Block color using CSS Override</title>
      <html depends="$alwaysHideCSSStylePanel$">
        <style>
          #singleWithCSSOverride1 svg.svg-container rect{
            fill: $tokColor1$ !important;
          }
          #singleWithCSSOverride2 svg.svg-container rect{
            fill: $tokColor2$ !important;
          }
        </style>
      </html>
      <single id="singleWithCSSOverride1">
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
      <single id="singleWithCSSOverride2">
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor2">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 4: Token for Single Value Text color using CSS Override</title>
      <html depends="$alwaysHideCSSStylePanel$">
        <style>
          #singleWithCSSOverride3 svg.svg-container text.single-result{
            fill: $tokColor1$ !important;
          }
          #singleWithCSSOverride4 svg.svg-container text.single-result{
            fill: $tokColor2$ !important;
          }
        </style>
      </html>
      <single id="singleWithCSSOverride3">
        <search>
          <query>| makeresults 
| eval state="GOOD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
      <single id="singleWithCSSOverride4">
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor2">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

jip31
Builder

@niketnilay
hi
I choose the option 3 but i have a question
in one panel I can have GOOD or BAD value

    <panel>
      <title>Disk Remaining Space Status</title><html depends="$alwaysHideCSSStylePanel$">
       <style>
          #singleWithCSSOverride1 svg.svg-container rect{
             fill: $tokColor1$ !important;
           #singleWithCSSOverride2 svg.svg-container rect{
             fill: $tokColor2$ !important;
           }
        </style>
       </html>
      <single id="singleWithCSSOverride1">
        <search><query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size"| eval state="GOOD"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
<done><eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval></done></search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="rangeColors">["0x555","0x555"]</option>
<option name="rangeValues">[0]</option>
<option name="useColors">1</option></single>

So I want to add an eval state="BAD" in but i dont understand how to do
Do I have to add something in eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")?
Thanks for your help

0 Karma

jip31
Builder

could you just tell me if what i done is good in my two different panels??
what is strange is that I have "GOOD" in the 2 panels but for one panel GOOD is green and for the other GOOD is grey!!
thanks

 <row>
    <panel>
      <title>Disk Remaining Space Status</title>
      <html depends="$alwaysHideCSSStylePanel$">
       <style>
          #singleWithCSSOverride1 svg.svg-container rect{
             fill: $tokColor1$ !important;
           #singleWithCSSOverride2 svg.svg-container rect{
             fill: $tokColor2$ !important;
           }
        </style>
       </html>
      <single id="singleWithCSSOverride1">
        <title>Good : &gt; 15% - Bad : &lt; 15%</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size"| eval state="GOOD"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>

          <done>
           <eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
          </done>


        </search>
        <option name="colorMode">block</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Disk Health Status</title>
      <single>
        <title>Good : Status = OK - Bad : Status = Not OK</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status" | eval state="BAD"</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <done>
            <eval token="tokColor2">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
           </done>

        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="rangeColors">["0x555","0x555"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
0 Karma

jip31
Builder

HI

I apply your code but I dont understand why I have 2 different colors in two different panels even if the value is "GOOD"
You can see the screen shot here
https://cjoint.com/c/IAhl7mQwPQc

and the xml here

<panel>
      <title>Disk Remaining Space Status</title>
      <html depends="$alwaysHideCSSStylePanel$">
       <style>
          #singleWithCSSOverride1 svg.svg-container rect{
             fill: $tokColor1$ !important;
           #singleWithCSSOverride2 svg.svg-container rect{
             fill: $tokColor2$ !important;
           }
        </style>
       </html>
      <single id="singleWithCSSOverride1">
        <title>Good : &gt; 15% - Bad : &lt; 15%</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size" 
| search host="$tok_filterhost$" 
| fields - host 
| eval state="GOOD"
</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>

          <done>
            <eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
           </done>


        </search>
        <option name="colorMode">block</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Disk Health Status</title>
      <single>
        <title>Good : Status = OK - Bad : Status = Not OK</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status" 
| search host="$tok_filterhost$" 
| fields - host
| eval state="BAD"
</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>

          <done>
             <eval token="tokColor2">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
            </done>

        </search>
0 Karma

niketnilay
Legend

@jip31. Have you ensured that all the <option> settings in the <single> value panel 1 is same as single value panel2?

If so, open Browser Inspector by Right Clicking the Grey Rectangle of single value panel not working. See whether the CSS override for second one shows up or not. Refer to following older answer of mine to see how to use Browser Inspector: https://answers.splunk.com/answers/590387/how-do-i-update-panel-color-in-splunk-using-css-1.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jip31
Builder

yes the option settings are the same
you can have a look at the screenshot
https://cjoint.com/c/IAjjGf3JS6d
and there is no issue in the browser inspector....
I dont understand anything

0 Karma

niketnilay
Legend

@jip31 if you edit Single Value panel from UI then simple XML token override gets removed. So it is either one of them that you can use.

Also, since Simple XML JS Extension or installing Status Indicator Apps are out of picture for your, all I can help you with is that you can try the with following search:

1) Run your search with loadjob as independent searches instead of running inside single value panel. Use Search Event Handler to set token for State and Color for respective load job query.
2) Create single value panel with result of State and use CSS Color override.

This way Single Value panel will load only after CSS is applied. Make sure you do not have code like the following under single value visualization:

       <option name="rangeColors">["0x555","0x555"]</option>
       <option name="rangeValues">[0]</option>


<form>
  <label>Single Value Color</label>
  <!-- Independent Search to get State from Search 1-->
  <search>
    <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size" 
             | search host="$tok_filterhost$" 
             | fields - host 
             | eval state="GOOD"
     </query>
    <earliest>-30d@d</earliest>
    <latest>now</latest>
    <done>
      <eval token="tokState1">$result.state$</eval>
      <eval token="tokColor1">case($result.state$=="GOOD","#53a051",true(),"#dc4e41")</eval>
    </done>
  </search>
  <row>
    <panel>
      <title>Disk Remaining Space Status $tokState1$ $tokColor1$</title>
     <html depends="$alwaysHideCSSStylePanel$">
      <style>
         #singleWithCSSOverride1 svg.svg-container rect{
            fill: $tokColor1$ !important;
          #singleWithCSSOverride2 svg.svg-container rect{
            fill: $tokColor2$ !important;
          }
       </style>
      </html>
      <single id="singleWithCSSOverride1">
        <title>Good : &gt; 15% - Bad : &lt; 15%</title>
        <search>
          <query>| makeresults
             | fields - _time, "$tokColor1$"
             | eval state="$tokState1$"
           </query>
        </search>
        <option name="colorMode">block</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jip31
Builder

Thanks for your answer
question : is it not possible to do the coloring with eval if.... directly in the report ??

eventtype=Charge 
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time 
| eval Wear_Rate = 100-(FullChargedCapacity *100/DesignedCapacity) 
| eval Status=if(Wear_Rate>5, "GOOD", "BAD") 
| table Status
0 Karma

niketnilay
Legend

@jip31 Option 1: Single Value Color with rangemap in my firstquestion was the option directly with eval. Please try that. Following is an example.

| makeresults 
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jip31
Builder

do I nhave to update the xml like this please??

| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status"
| search host="$tok_filterhost$"
| fields - host
| makeresults
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999)
| rangemap field=severity low=0-0 severe=1-1 default=guarded

0 Karma

jip31
Builder

hi
I dont succeed to configure your code
could you help me please???

0 Karma

jip31
Builder

I do this but I have a 0 value instead good or bad

| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size" 
| search host="$tok_filterhost$" | fields -host
| eval state="GOOD" |eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded
0 Karma

niketnilay
Legend

Can you give the output of just the first loadjob command? What are the fields available, ie. anything apart from host, state?

 | loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size" 

Is | eval state="GOOD" just for testing?

Following is an example based on rangemap:

<dashboard>
  <label>Single Value Rangemap</label>
  <row>
    <panel>
      <single>
        <search>
          <query>| makeresults 
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
</dashboard>

Replace the query

| makeresults 
| eval state="BAD"
| table state
| eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded

With

| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size" 
| search host="$tok_filterhost$" 
| table state
| eval state="GOOD"
| eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999) 
| rangemap field=severity low=0-0 severe=1-1 default=guarded
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jip31
Builder

hi

I have adapted the xml as you asked (see below) me but I have no results

<form>
  <label>TEST</label>
  <description>Specific workstation monitoring - Disk health checking - Slot time : 30 days</description>.........<fieldset submitButton="true">
    <input type="text" searchWhenChanged="true" token="tok_filterhost">
      <label>HostName</label>
      <default>*</default>
    </input>
  </fieldset>
  <row depends="$alwaysHideCSSPanel$">
    <panel>
      <html>
              <style>
                  .dashboard-header p.description {
                       font-size: 16px;
                       font-weight: bold;
                       font-family: Arial;
                       font-style: italic;
                       color: black;
                       padding-top: 40px;
                   }
               </style>
            </html>
    </panel>
  </row>
  <row>
    <panel>
      <title>Disk Remaining Space Status</title>
      <single>
        <title>Good : &gt; 15% - Bad : &lt; 15%</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size" 
 | search host="$tok_filterhost$" 
 | table state
 | eval state="GOOD"
 | eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999) 
 | rangemap field=severity low=0-0 severe=1-1 default=guarded</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>Disk Health Status</title>
      <single>
        <title>Good : Status = OK - Bad : Status = Not OK</title>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status" 
| search host="$tok_filterhost$" | table state
 | eval state="GOOD"
 | eval severity=case(state="GOOD", 0, state="BAD", 1, true(), 999) 
 | rangemap field=severity low=0-0 severe=1-1 default=guarded</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Disk Remaining Space Status Details</title>
      <table>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Size_Details" 
| search host=$tok_filterhost$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <title>Disk Health Status Details</title>
      <table>
        <search>
          <query>| loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status_Details" 
| search host=$tok_filterhost$</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">row</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <format type="color" field="Status">
          <colorPalette type="map">{"OK":#3863A0}</colorPalette>
        </format>
      </table>
    </panel>
  </row>

</form>

And I dont understand why you hard code
| eval state="GOOD"

because this value is calculated in the saved search you can see below

eventtype="DiskHealthSize"
| dedup host
| eval time = strftime(_time, "%m/%d/%Y %H:%M")
| eval Value = round(Value, 1)
| eval TotalSpace = TotalSpaceKB/1024
| eval TotalSpace = round(TotalSpace/1024,1). " MB"
| rename Value as Free_Space
| eval Free_Space= if(Free_Space>15, "GOOD", "BAD")
| table host Free_Space

0 Karma

niketnilay
Legend

Thanks for sharing Saved search query. As per one of your initial posts I thought saved search was returning field called state, but it is actually Free_Space. This information was not provided earlier that this field contains value as GOOD or BAD. So try this query instead (edit in simpleXML not from UI):

  | loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status" 
  | search host="$tok_filterhost$" 
  | table Free_Space
  | eval severity=case(Free_Space="GOOD", 0, Free_Space="BAD", 1, true(), 999) 
  | rangemap field=severity low=0-0 severe=1-1 default=guarded
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jip31
Builder

Unfortunately, the single value is empty, no erros but no results....

0 Karma

niketnilay
Legend

Run the following query and share the tabular output (add sample $host$ name as per your data). Share table Field Name and Value.

   | loadjob savedsearch="admin:FO_Workstations_Monitoring:FO_Workstations_Disk_Status" 
   | search host="$tok_filterhost$"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!