Splunk Search

Accessing whole row / other fields in table format colorPalette expression in Simple XML - 'value' only?

wowczarek
Engager

Hello Splunkers,

I am developing dashboards in a Splunk instance which I don't manage, so I have little room for adding custom js, and frankly neither do I want to work with CSS and js, to keep things easily movable.

I have a table where the value of one field/column determines the overall status of the row, and I have a colour palette doing what I need it to do. This works fine; high values are red, low are green.

However, I would ideally like to be able to change the colouring of other columns based on the same field. I could not find any documentation stating that "value" is the only variable available to the expression in <colorPalette type="expression">. My question then is: can I refer to the whole row or other fields in the colorPalette expression for a given column? I tried the usual suspects like row.<fieldname> or simply <fieldname>, but to no avail.

So, can this be done? Or is the colouring evaluated purely in the context of a single cell? Does anybody know if Splunk is going to introduce explicit row colouring at one point?

Actually another use case for what I'm asking is if one wants to colour a column or columns based on another field that is not even displayed - for example when you have a calculation that determines some internal "score" value, which in itself is of no interest to the user.

Many thanks,
Wojciech

eurban
Explorer

I am trying to do the same thing as you and have also not found an answer on how to accomplish this. I did however find in the documentation showing "value" being used, though it does not state that "value" is the only variable available to expression.

Expand "Expression" at:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/TableFormatsXML#Color_palette_types_and_optio...

0 Karma

christal1989
New Member

Hi,

In my use case ideally I wanted to decide colour based on multiple fields. Since I could not do that, I created a new field which will check the conditions in multiple fields and put the value of colour required for that whole row. Though this was tweak, this only help if I can extend the colour from one column to whole row.

So getting a solution for "colouring multiple columns based on one field" OR "colour one column based on multiple columns" both will help me.

Also in my case, I cant use JS extension.

Regards,
Chris.

0 Karma

christal1989
New Member

Hi,

I'm also facing the similar issue. I want to use values from other fields before deciding the colour on the column. If someone can throw some light into this original post, that would be really helpful in a lot many ways.

Regards,
Chris.

0 Karma

niketn
Legend

@christal1989 this question is for coloring multiple columns based on one field however, without using Simple XML JavaScript extension.

Your use case seems to be different, where you want to use multiple fields to decide color of a column (which is just reverse). If you do not have a restriction of using JavaScript in your Splunk Dashboard you should check out the following answer by @kamlesh_vaghela https://answers.splunk.com/answers/661894/how-to-color-cell-contents-with-css-and-js.html#answer-661...

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@wowczarek will the field names remain same or can they change? How many in total of they are fixed?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...