Splunk Search

How to change the cell color of a table if SLA time is missed?

harsush
Path Finder

Hi Team,

Below my search from which i am getting the completion time of job. Below is where i need ur help.

1 - If search won't get completion time is there a way to change the cell color.
2 - Is there a way to compare completion time with SLA time and if it is completion time is more change the color of the cell.

| inputlookup PROD_BOX_CO
| search Job=PROD* 
| rename Job AS JOB 
| join type=left JOB [ 
    search index=ca* sourcetype=uc4 host=uc* U0011502
    | rex "U0011502 Workflow '(?<JOB>[^']+)'" 
    | stats max(_time) AS Completion_Time by JOB 
    | eval Completion_Time = strftime(Completion_Time, "%+") 
]  | table CYCLE CheckPoint JOB SLA Completion_Time | sort Completion_Time

Lookup definition

Name :PROD_BOX_CO

Supported fields :
CYCLE,CheckPoint,Job,SLA
BAT_A,BAT1,PROD.BAT.XYZ,10:30

Lookup file : PROD_BOX_CO.csv

0 Karma

woodcock
Esteemed Legend

Always avoid join if you can (and you almost always can); try this:

index="ca*" sourcetype="uc4" host="uc*" U0011502
| stats max(_time) AS Completion_Time by JOB 
| eval Completion_Time_A = strftime(Completion_Time, "%+")
| eval Completion_Time_Hour = strftime(Completion_Time, "%H%M")
| appendpipe [| inputlookup PROD_BOX_CO
   | search Job="PROD*" 
   | rename Job AS JOB ]
| stats values(*) AS * BY JOB
| rex field=SLA mode=sed "s/://"
| eval diff = SLA - Completion_Time_Hour
| fieldformat SLA = replace(SLA , "(\d{2})$", ":\1")
| fieldformat Completion_Time_Hour= replace(Completion_Time_Hour, "(\d{2})$", ":\1")
| table CYCLE CheckPoint SLA Completion_Time_A Completion_Time_Hour diff
| sort 0 Completion_Time
0 Karma

woodcock
Esteemed Legend

On the stats panel, click on the crayon/marker of the field label/name that is to be compared to the SLA value.
In the dialog that opens, in the Color tab, click on None and select Ranges. You can take it from there.

0 Karma

harsush
Path Finder

I tried but iam not getting i might be wrong.. Can you pls help WoodCook/Team

Supported fields :
CYCLE,CheckPoint,Job,SLA
BAT_A,BAT1,PROD.BAT1.XYZ,10:30
BAT_A,BAT2,PROD.BAT2.XYZ,09:30
BAT_B,BAT1,PROD.BAT1.XYZ,07:30

| inputlookup PROD_BOX_CO
| search Job=PROD*
| rename Job AS JOB
| join type=left JOB [
search index=ca* sourcetype=uc4 host=uc* U0011502
| stats max(_time) AS Completion_Time by JOB
| eval Completion_Time_A = strftime(Completion_Time, "%+")
| eval Completion_Time_Hour = strftime(Completion_Time, "%H:%M")
] | eval diff = SLA-Completion_Time_Hour | table CYCLE CheckPoint SLA Completion_Time_A Completion_Time_Hour diff | sort Completion_Time

1 - How to calculate time Difference ( SLA - Completion_Time_Hour )
2 - If SLA missed need to highlight with RED color ( Completion_Time_Hour > SLA time then highlight with RED )

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...