- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How can I change the color based on another variab...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I change the color based on another variable?
Greetings,
The following query brings the total amount of hosts in AD, the amount of hosts that seem to be currently active, and what percent of the total hosts in AD are currently active. What I want to do is change the color of the result depending on the percentage calculated.
For example, I am displaying the Total in a single value pane. If the Percentage is more than 94%, make it GREEN, otherwise make it RED.
This is what I got so far:
index=winevents
| dedup host
| stats count as Total
| appendcols [ | ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*") | stats count as WindowsComputers ]
| eval Percentage = round((Total/WindowsComputers)*100)
| eval Percentage = if(Percentage > 94, "low", "severe")
| table Total
XML:
option name="field">Percentage
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I did something similar using Status Indicator - Custom Viz
https://splunkbase.splunk.com/app/3119/
I used this custom params for my panel:
<option name="height">70</option>
<option name="link.visible">0</option>
<option name="status_indicator_app.status_indicator.colorBy">field_value</option>
<option name="status_indicator_app.status_indicator.fillTarget">background</option>
<option name="status_indicator_app.status_indicator.fixIcon">warning</option>
<option name="status_indicator_app.status_indicator.icon">field_value</option>
<option name="status_indicator_app.status_indicator.precision">0</option>
<option name="status_indicator_app.status_indicator.showOption">1</option>
<option name="status_indicator_app.status_indicator.staticColor">#555</option>
<option name="status_indicator_app.status_indicator.useColors">true</option>
<option name="status_indicator_app.status_indicator.useThousandSeparator">false</option>
I used a query like this:
(...)
| eval value = ....
| eval color_value=case(m="1", "#32cd32", m="2", "#FFD700", m="3", "#540650", 1=1, "#ff0000")
| eval icon_value=case(m="1", "check-circle", m="2", "exclamation-triangle", m="3", "exclamation-circle", 1=1, "times-circle")
| table value icon_value color_value
I hope this can help you!
Javier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Javi,
Unfortunately I don't have that app on my system and I am not able to install until further notice. I will try it as soon as I can and will let you know.
Thanks!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
