Dashboards & Visualizations

How do I use the SingleValue module to color code search results?

tpaulsen
Contributor

In discussions, Johnvey has suggested to use the SingleValue module to display the output of the results.

In fact, with the rangemap search keyword, we are simply getting the output in the form of text and there is still no way for us to interpret it and display it in another format (like an image).

Please see the code snippet below:

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1"
 group="FuturesDemo Messages per minute" autoRun="True">
      <param name="search">index="os" foo
FuturesDemo earliest="-1m" |stats count|rangemap field=count red=0-0
default=green</param>
      <param name="earliest">-1m</param>
      <module name="ResultsHeader">
         <param name="entityName">scanned</param>
         <param name="entityLabel">foo events</param>
             <module name="FlashChart">
               <param name="height">180px</param>
               <param name="width">80%</param>
             </module>
      </module>
  </module>
</view> 

 

Labels (2)
1 Solution

Johnvey
Contributor

So to clarify your question:

The current configuration will display the text that you desire.

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
       <module name="SingleValue"> 
          <param name="labelPosition">before</param> 
          <param name="beforeLabel">foo(</param> 
          <param name="afterLabel">)</param> 
      </module>
   </module>
</view>

However, the background color never changes depending on the dynamic value.

If that is the case, the solution is to change your populating search:

index="os" foo earliest="-1m" |stats count 
| rangemap field=count red=0-0 default=green

to

index="os" foo earliest="-1m" |stats count 
| rangemap field=count low=0-0 elevated=1-1 default=severe

By default, the SingleValue module defines the following class -> color mappings:

None     -> grey (#999)
low      -> green (#72c72d)
guarded  -> blue (#4da6df)
elevated -> yellow (#e9da34)
high     -> orange (#e67918)
severe   -> red (#bb2121)

These values are defined in:

$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css

You can override them at either the application level by editing the file:

$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css

or at the view level by:

  1. Creating a custom view CSS file in the same directory as above
  2. Linking a view to that custom view CSS by adding it to the view XML node, i.e.,

    <view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">
    

Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.

View solution in original post

Johnvey
Contributor

So to clarify your question:

The current configuration will display the text that you desire.

<view refresh="60" template="dashboard.html">
   <module name="HiddenSearch" layoutPanel="panel_row1_col1" autoRun="True">
      <param name="search">index="os" foo earliest="-1m" |stats count|rangemap field=count red=0-0 default=green</param>
       <module name="SingleValue"> 
          <param name="labelPosition">before</param> 
          <param name="beforeLabel">foo(</param> 
          <param name="afterLabel">)</param> 
      </module>
   </module>
</view>

However, the background color never changes depending on the dynamic value.

If that is the case, the solution is to change your populating search:

index="os" foo earliest="-1m" |stats count 
| rangemap field=count red=0-0 default=green

to

index="os" foo earliest="-1m" |stats count 
| rangemap field=count low=0-0 elevated=1-1 default=severe

By default, the SingleValue module defines the following class -> color mappings:

None     -> grey (#999)
low      -> green (#72c72d)
guarded  -> blue (#4da6df)
elevated -> yellow (#e9da34)
high     -> orange (#e67918)
severe   -> red (#bb2121)

These values are defined in:

$SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/css/skins/default/default.css

You can override them at either the application level by editing the file:

$SPLUNK_HOME/etc/apps/YOUR_APP_NAME/appserver/static/application.css

or at the view level by:

  1. Creating a custom view CSS file in the same directory as above
  2. Linking a view to that custom view CSS by adding it to the view XML node, i.e.,

    <view refresh="60" template="dashboard.html" stylesheet="my_custom_style.css">
    

Finally, by editing the custom CSS, you can replace the SingleValue backgrounds entirely with different JPG, GIF, or PNG files based on the enumerations defined by the 'rangemap' command.

Johnvey
Contributor

To Rakesh: it's a little unclear what your desired output is. The search you specify will output a table with 2 values: a 'count' and then an enumeration. Are you trying to display 2 different images, or just a colored box? Do you want to see the actual count?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...