Dashboards & Visualizations

Need to change colour in dashboard in trellis view

Mrig342
Contributor

Hi All,

I am trying to create a dashboard in trellis view. I created the below query for my search:

index=abcd host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" | rex field=_raw "(?ms)]\s(?P<Code>\w+)\s\[" | search Code="WARN" | rex field=_raw "^(?:[^ \n]* ){3}\[(?P<code_id>[^\]]+)" | search code_id="AdminClient clientId=adminclient-*" | stats count | eval mwgcb-ckbla02u=if(count=0, "Running", "Down") | table mwgcb-ckbla02u

Here, I am using the trellis view and "single value" in visualization. All came up perfect, but I am not able to change the colour of the trellis box. Like when its "Running", box should be green and when "Down", it should be red.

Can anyone please help on this..?

 

Thanks.

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
        <format type="color">
          <colorPalette type="expression">case (match(value,"Down"), "#ff0000",match(value,"Up"),"#00ff00")</colorPalette>
        </format>
0 Karma

Mrig342
Contributor

I tried inserting the above in the source-code. Its not working for me. 

Please look into the source code and suggest.

<dashboard>
<label>Kafka_Broker</label>
<row>
<panel>
<title>mwgcb-ckbla02U</title>
<single>
<search>
<query>index=abcd host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" | rex field=_raw "(?ms)]\s(?P&lt;Code&gt;\w+)\s\[" | search Code="WARN" | rex field=_raw "^(?:[^ \n]* ){3}\[(?P&lt;code_id&gt;[^\]]+)" | search code_id="AdminClient clientId=adminclient-*" | stats count | eval mwgcb-ckbla02u=if(count=0, "Running", "Down") | table mwgcb-ckbla02u</query>
<earliest>1626633000</earliest>
<latest>1626636600</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>

</row>
</dashboard>

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this instead

<dashboard>
<label>Kafka_Broker</label>
<row>
    <panel depends="$alwaysHideCSSPanel$">
      <html>
        <style>
          #single #facet-viz_data_source_mwgcb-ckbla02u svg{
            background-color: $singlecolour$;
          }
        </style>
      </html>
    </panel>
<panel>
<title>mwgcb-ckbla02U</title>
<single>
<search>
<query>index=abcd host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" | rex field=_raw "(?ms)]\s(?P&lt;Code&gt;\w+)\s\[" | search Code="WARN" | rex field=_raw "^(?:[^ \n]* ){3}\[(?P&lt;code_id&gt;[^\]]+)" | search code_id="AdminClient clientId=adminclient-*" | stats count | eval mwgcb-ckbla02u=if(count=0, "Running", "Down") | table mwgcb-ckbla02u</query>
<earliest>1626633000</earliest>
<latest>1626636600</latest>
<sampleRatio>1</sampleRatio>
<done>
<eval token="singlecolour">if('results.mwgcb-ckbla02u'=="Down","red","green")</eval>
</done>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x53a051","0xdc4e41"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">large</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>

</row>
</dashboard>
0 Karma

Mrig342
Contributor

Hi ITWhisperer,

This didn't work either. Is it because I am using trellis..?

Because without trellis, the format command works if kept as table.

But we need the output in trellis view. Can you please suggest some more?

 

Thank you.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, typo on my part - try

<eval token="singlecolour">if('result.mwgcb-ckbla02u'=="Down","red","green")</eval>

 

0 Karma

Mrig342
Contributor

Sorry ITWhisperer,

 

It didn't work either. As of now now I am going with the tabular view without trellis and using format.

However, suggestions for modification on the trellis view are welcomed. We prefer going with the trellis view.

 

Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...