Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Complex Color Rule

jip31
Motivator
‎07-25-2018 03:58 AM

Hi

I use this code in order to display the difference between the free space disk and the total space disk
I need to create a color alert in the field
when the difference between space disk and total disk is less than 20 GB, i want the field to be colored in orange and when the difference is less thant 10 GB i want the field colored in red
I dont need the display the difference value but just to color my field
I doesnt see any possibility to add a calcul in the color field rules
How to do please???

index="perfmon" sourcetype="perfmon:logicaldisk" instance=c:  counter="Free Megabytes" OR counter="% Free Space"| search host=*
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
 | eval total_space = mb_free / (perc_free) * 100  | eval DiskSize = round(mb_free/1000,2)." MB / ".round(total_space/1000,2)." MB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize  |sort  -time
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-25-2018 07:50 AM

@jip31,

There are minor adjustments you need to get the actual result. The disk space from perfmon is on MB and by dividing by 1000 you are getting the space in GB and also it should be by 1024 instead of 1000 for accurate results. Also calculate the difference between the total and used eval diff=round((total_space-mb_free)/1024,2)
So the search will be

 index="perfmon" sourcetype="perfmon:logicaldisk" instance=c:  counter="Free Megabytes" OR counter="% Free Space"| search host=*
 | eval perc_free = if(counter="% Free Space",Value,null)
 | eval mb_free = if(counter="Free Megabytes",Value,null)
 | stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
  | eval total_space = mb_free / (perc_free) * 100  | eval diff=round((total_space-mb_free)/1024,2)|eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize diff  |sort  -time

Once you have this in the table, you could change the color on basis of 'diff' column by just editing the visualization

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormats

Sample dashboard - you might need to adjust the sourcetype and instance

<dashboard>
  <label>perf</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index="perfmon" sourcetype="Perfmon:disk" counter="Free Megabytes" OR counter="% Free Space"
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100  | eval diff=round((total_space-mb_free)/1024,2) | eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M") 
| table time host instance DiskSize,diff  |sort  -time</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="diff">
          <colorPalette type="list">[#DC4E41,#EC9960,#53A051]</colorPalette>
          <scale type="threshold">10,20</scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-25-2018 07:55 AM

There are a whole bunch of different ways, none of them difficult, based on what you might be trying to do. I believe this first one may be what you are looking for, but there are some additional links at the end.

https://answers.splunk.com/answers/230164/how-to-get-a-table-cell-color-to-change-depending.html

Also, our awesome Splunk Trust member @niketnilay posted a great fully-described example here - https://answers.splunk.com/answers/583047/can-i-color-a-cell-based-on-condition.html

If you work your way through that, you should be able to get exactly what you need.

Here's some other references:

https://answers.splunk.com/answers/613766/how-can-i-change-the-color-of-the-single-value-vis.html
https://answers.splunk.com/answers/58335/change-chart-bar-color-based-on-data-value.html
https://answers.splunk.com/answers/469656/how-to-change-the-background-color-of-the-panels-i.html
https://answers.splunk.com/answers/200861/how-to-change-bar-colors-in-a-bar-chart-based-on-v.html

Reply
Solved! Jump to solution

niketn
Legend
‎07-25-2018 12:05 PM

Thanks Dal 🙂 I think the question here by @jip31 is to color by difference but do not show difference in the table, rather show the free space alone (not even the total space). This is slightly tricky but possible thanks to the following post by @kamlesh_vaghela: https://answers.splunk.com/answers/661894/how-to-color-cell-contents-with-css-and-js.html#answer-661...

The approach of answer would be
1) To have table with with free space and total space both in the same field in the table (possibly with delimiter like comma or semi-colon between them).

2) Use Simple XML JS Extension to define Custom Table Cell Renderer for combined field. Use javaScript to Split the two values in Cell and get the difference.

3) Set the class for color based on range for difference.

4) Finally while rendering the table cell value keep only the Free space and discard the total space value.

Please try out and confirm whether you need a mock run anywhere example similar to your query.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-25-2018 07:50 AM

@jip31,

There are minor adjustments you need to get the actual result. The disk space from perfmon is on MB and by dividing by 1000 you are getting the space in GB and also it should be by 1024 instead of 1000 for accurate results. Also calculate the difference between the total and used eval diff=round((total_space-mb_free)/1024,2)
So the search will be

 index="perfmon" sourcetype="perfmon:logicaldisk" instance=c:  counter="Free Megabytes" OR counter="% Free Space"| search host=*
 | eval perc_free = if(counter="% Free Space",Value,null)
 | eval mb_free = if(counter="Free Megabytes",Value,null)
 | stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
  | eval total_space = mb_free / (perc_free) * 100  | eval diff=round((total_space-mb_free)/1024,2)|eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize diff  |sort  -time

Once you have this in the table, you could change the color on basis of 'diff' column by just editing the visualization

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormats

Sample dashboard - you might need to adjust the sourcetype and instance

<dashboard>
  <label>perf</label>
  <row>
    <panel>
      <table>
        <search>
          <query>index="perfmon" sourcetype="Perfmon:disk" counter="Free Megabytes" OR counter="% Free Space"
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100  | eval diff=round((total_space-mb_free)/1024,2) | eval DiskSize = round(mb_free/1024,2)." GB / ".round(total_space/1024,2)." GB"|eval time = strftime(_time, "%d-%m-%y %H:%M") 
| table time host instance DiskSize,diff  |sort  -time</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <format type="color" field="diff">
          <colorPalette type="list">[#DC4E41,#EC9960,#53A051]</colorPalette>
          <scale type="threshold">10,20</scale>
        </format>
      </table>
    </panel>
  </row>
</dashboard>
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-26-2018 12:13 AM

@jip31,
This is missing in your search | eval diff=round((total_space-mb_free)/1024,2)

Try below

index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space"
| search host=$tok_filterhost$ | eval perc_free = if(counter="% Free Space",Value,null) | eval mb_free = if(counter="Free Megabytes",Value,null) 
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance | eval total_space = mb_free / (perc_free) * 100 
| eval diff=round((total_space-mb_free)/1024,2) 
| eval DiskSize = round(mb_free/1024,2)." MB / ".round(total_space/1024,2)." MB"|eval time = strftime(_time, "%d-%m-%y %H:%M") 
| table time host instance DiskSize diff|sort -time
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-26-2018 12:58 AM

i have succedeed renjith but i would like to have the cell colored in the disksize field and not in the diff field....

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-26-2018 06:16 AM

As mentioned above by @niketnilay, you might need js , https://answers.splunk.com/answers/661894/how-to-color-cell-contents-with-css-and-js.html#answer-661...

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎07-25-2018 11:31 PM

Hello all and thanks

@ renjith : i have just added this in my xml

<format type="color" field="diff">
<colorPalette type="list">[#DC4E41,#EC9960,#53A051]</colorPalette>
<scale type="threshold">10,20</scale>
</format>

is it ok because the field is not colored?
The entire code is
index="perfmon" sourcetype="perfmon:logicaldisk" instance=c: counter="Free Megabytes" OR counter="% Free Space"| search host=$tok_filterhost$
| eval perc_free = if(counter="% Free Space",Value,null)
| eval mb_free = if(counter="Free Megabytes",Value,null)
| stats latest(mb_free) as mb_free latest(perc_free) as perc_free by _time, host, instance
| eval total_space = mb_free / (perc_free) * 100 | eval DiskSize = round(mb_free/1024,2)." MB / ".round(total_space/1024,2)." MB"|eval time = strftime(_time, "%d-%m-%y %H:%M") |table time host instance DiskSize |sort -time
$tok_time.earliest$
$tok_time.latest$

10
row
progressbar

[#DC4E41,#EC9960,#53A051]
10,20

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...