Dashboards & Visualizations

Can you set single value option "colorMode" to a drilldown token?

johnvr
Path Finder

Thanks for your help in advance.

I have a set of single value visualizations inside a single dashboard panel. Each of these has drilldown panels that appear when you select the value, and that removes the drilldown panels that would appear when you select the others (each has , , etc.

What I'm trying to do is add another layer of differentiation - aside from a heading - as to which value is selected. I want to do that by changing colorMode to "block" if the drilldown is active. So it's a color-against-white if unselected, then when selecting it, it drills down into those panels, and also changes to a block colorMode, white-against-color. Does that make sense?

I've tried this a few ways - it won't take inside a , and I can't figure out how to set an to a token.

Is this possible...

So what I have right now is.....

<panel>
  <title>Name of My Panel</title>
  <single>
    <title>Single Value One</title>
    <search base="base">
      <query>| stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">none</option>
    <option name="drilldown">all</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">["0x65a637","0x65a637"]</option>
    <option name="rangeValues">[0]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">0</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="unitPosition">after</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <drilldown>
      <set token="show_dash_one">y</set>
      <unset token="show_dash_two"></unset>
      <unset token="show_dash_three"></unset>
    </drilldown>
  </single>
  <single>
    <title>Single Value Two</title>
    <search base="base_two">
      <query>| stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">none</option>
    <option name="drilldown">all</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
    <option name="rangeValues">[0]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">0</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="unitPosition">after</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <drilldown>
      <set token="show_dash_two">y</set>
      <unset token="show_dash_one"></unset>
      <unset token="show_dash_three"></unset>
    </drilldown>
  </single>
  <single>
    <title>Single Value Three</title>
    <search base="base_three">
      <query>| stats count</query>
    </search>
    <option name="colorBy">value</option>
    <option name="colorMode">none</option>
    <option name="drilldown">all</option>
    <option name="numberPrecision">0</option>
    <option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
    <option name="rangeValues">[0,30,70,100]</option>
    <option name="showSparkline">1</option>
    <option name="showTrendIndicator">1</option>
    <option name="trendColorInterpretation">standard</option>
    <option name="trendDisplayMode">absolute</option>
    <option name="unitPosition">after</option>
    <option name="useColors">1</option>
    <option name="useThousandSeparators">1</option>
    <drilldown>
      <set token="show_dash_three">y</set>
      <unset token="show_dash_one"></unset>
      <unset token="show_dash_two"></unset>
    </drilldown>
  </single>

... and I'd like to find a way to either call a token in the option or write something in or both to accomplish this.

is this possible?

Tags (3)
0 Karma

niketn
Legend

@johnvr, you can set a token during drilldown to value block, which can be applied to colorMode Simple XML option. The tokens for other Single Value panels can be set to none. I have used <init> section to default the tokens to none.

Following is a run anywhere dashboard based on Splunk's _internal index. It has three Single Value Panels for Info, Warn and Error. Single Value colorBy option is set to trend for simplicity. Clicking on a Single Value panel sends the token to timechart which splits the count by Splunk components.

alt text

<dashboard>
  <label>Single Value Block color on Drilldown</label>
  <init>
    <set token="infoColorMode">none</set>
    <set token="warnColorMode">none</set>
    <set token="errorColorMode">none</set>
  </init>
  <row>
    <panel>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="INFO"
| timechart count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">trend</option>
        <option name="colorMode">$infoColorMode$</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Info</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="tokLogLevel">INFO</set>
          <set token="infoColorMode">block</set>
          <set token="warnColorMode">none</set>
          <set token="errorColorMode">none</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="WARN"
| timechart count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">trend</option>
        <option name="colorMode">$warnColorMode$</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">inverse</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Warning</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="tokLogLevel">WARN</set>
          <set token="infoColorMode">none</set>
          <set token="warnColorMode">block</set>
          <set token="errorColorMode">none</set>
        </drilldown>
      </single>
    </panel>
    <panel>
      <single>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="ERROR"
| timechart count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">trend</option>
        <option name="colorMode">$errorColorMode$</option>
        <option name="drilldown">all</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">inverse</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="underLabel">Error</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
        <drilldown>
          <set token="tokLogLevel">ERROR</set>
          <set token="infoColorMode">none</set>
          <set token="warnColorMode">none</set>
          <set token="errorColorMode">block</set>
        </drilldown>
      </single>
    </panel>
  </row>
  <row depends="$tokLogLevel$">
    <panel>
      <title>Count of $tokLogLevel$ Log Level by Component</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="$tokLogLevel$"
| timechart count by component useother=f usenull=f limit=10     
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

dflodstrom
Builder

I have a sneaking suspicion you've found the answer to this 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...