What I try to do, I can get to work in dashboard, but I would like it to work in reports (savedsearches.conf)
My data looks some like this
My search | rest /services/licenser/slaves | table label
sh-nm-1
pmsl-pfssplki01
nmsplnksysp01
pmsl-pnmsplka01
mmsl-pfssplka01
pmsl-pfssplka01
mmsl-pnmsplka04
fssplnksysp01
My goal is to differentiate system using color on the label column.
From the manual: https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Savedsearchesconf
# Color format options
display.statistics.format.<index>.colorPalette = [expression|list|map|minMidMax|sharedList]
# Color palette options for 'expression'
display.statistics.format.<index>.colorPalette.rule = <string>
Here is what I have tried.
display.statistics.format.0 = color
display.statistics.format.0.colorPalette = expression
display.statistics.format.0.colorPalette.colors = case(like(label,"pmsl%"),"#ffff00",like(label,"mmsl%"),"#ff00ff",1=1,"#00ffff")
display.statistics.format.0.field = label
But no color are showing up. Case rule works fine.
Manual says nothing about how the <string> should look like.
A workaround is to create a new column and color it like this:
| rest /services/licenser/slaves | table label | eval customer=case(like(label,"pmsl%"),"systemA",like(label,"mmsl%"),"systemB",1=1,"old")
Than add color for systemA , systemB and old .
But I would like to get this to work for my original column. Anyone?
... View more