How color code the dynamic Table

harshal_chakran · ‎06-02-2014

Hi I have the following code with a dynamic search command.

<module name="Search" layoutPanel="panel_row4_col1" autoRun="True">
  <param name="search"><![CDATA[

|inputcsv RESULT.csv |search KPI|stats first(RESULT) as RESULT by KPI TIMESTAMP|eval myClassField=case(RESULT>10,"red", RESULT>0.6,"orange",RESULT<0.6,"green")|xyseries KPI TIMESTAMP RESULT myClassField

  ]]></param>

  <module name="Pager"><param name="count">100</param>

  <module name="Table">
    <param name="columns.RESULT.class">$row.fields.myClassField$</param>

<!--

    <param name="hiddenFields">myClassField</param>
  </module>
</module>

<module name="HTML" layoutPanel="panel_row4_col1">
  <param name="html"><![CDATA[

  <style type="text/css">

  .Table td.red {
    background-color:#f01b31;
    color:white;
  }

  .Table td.orange {
    background-color:#fcb316;
  }

  .Table td.yellow {
    background-color:#fef200;
  }

  .Table td.green {
    background-color:#82FA58;
  }

  </style>

  ]]></param>
</module>`

The output is as shown below:

The columns will go on increasing as the data grows. I want to color the cells based on "myClassfield" value. I was able to do it when my column names were static, but now as the column names are also dynamic and goes on increasing as RESULT:0000-0015, RESULT:0015-0030,RESULT:0030-0045, and so on...

Please Help...!!!

sideview · ‎06-02-2014

I'm afraid this can't be done with the Table module today. At least not in this exact way.

If this were something I was working on, I would try to unwind one dimension out of it, so there was a little less going on. For instance you could have a high level chart display with a "traffic light" flavor to it, with some drilldown, and then also allow the user to pick one particular KPI at a time to see the timestamps and colors.

I might also use the Multiplexer, which is a crazy trick you can apply to kind of "get an extra dimension" back. In this example I use the Multiplexer module so that for each of your KPI values, there is a little header and a pageable table. And since here I've kinda taken a dimension out of each individual Table, suddenly the plain old "rowClass" param can color our fields.

<module name="Search" layoutPanel="panel_row4_col1" autoRun="True">
  <param name="search"><![CDATA[

| inputcsv RESULT.csv 
| search KPI 
| stats first(RESULT) as RESULT by KPI TIMESTAMP
| eval myClassField=case(RESULT>10,"red", RESULT>0.6,"orange",RESULT<0.6,"green")

  ]]></param>

  <module name="PostProcess">
    <param name="search">| stats count by KPI</param>

    <module name="Multiplexer">
      <param name="fields">KPI</param>

      <module name="PostProcess">
        <param name="search">| search KPI="$KPI$"</param>

        <module name="HTML">
          <param name="html"><![CDATA[
            <h3>$KPI$</h3>
          </param>
        </module>

        <module name="Pager">
          <module name="Table">
            <param name="hiddenFields">myClassField</param>
            <param name="rowClass">$row.fields.myClassField$</param>
          </module>
        </module>
      </module>
    </module>
  </module>
</module>

How color code the dynamic Table

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!