Splunk Search

How do you change the background color of a timechart if there is a value of zero ?

DEAD_BEEF
Builder

I have a simple timechart that looks at the _internal index for various hosts and makes a simple timechart span by hour. I trellis this by host so I get say 8 medium sized timecharts that show log counts over the last 3 days. Sometimes, some of these hosts go down and the value obviously goes to zero.

How do I make the background panel for that host colored red when any of the values is zero? In other words, I want to capture the attention of my users when any of the hosts have a time when there are no logs. If this isn't possible, I'd be open to other suggestions that would get a users attention. I already have alerts set up as well, but this dashboard is also important, and I want to make it easier to capture the user's attention.

| tstats count where index=_internal host=myhost00* by host_time prestats=t span=1h
| timechart span=1h count by host

Final working SPL. Since I have multiple hosts, I just broke them down into individual searches and removed the <panel> tags to make them look like one big panel.

<dashboard>
  <label>Test Dashboard</label>
  <row>
    <panel>
      <chart>
        <search id="pre">
          <query>| tstats count where index=_internal host=system1 BY host _time prestats=t span=1h
                 | timechart span=1h count AS mycount
          </query>
          <earliest>-48h@h</earliest>
          <latest>@h</latest>
        </search>
        <option name="charting.backgroundColor">$myColorToken$</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">preview</option>
      </chart>
    </panel>
  </row>
  <search base="pre">
    <query>| stats min(mycount) AS mincount</query>
    <done>
      <eval token="myColorToken">if($result.mincount$&lt;=0,"red","white")</eval>
    </done>
  </search>
</dashboard>
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done> set a background color based on that.

Updated with more details as per request...

In your SPL, you will do something like this

<search id="whatever">
    <query>
     ... your search stuff...
     | timechart span=1h count as mycount
    </query>
</search>

Elsewhere, you will have another search that uses that one as its base

<search base="whatever">
    <query>
    | stats min(mycount) as mincount
    </query>
     <done>
      <eval token="myColorToken">if($result.minfoo$&lt;=0,"red","green")</eval>
    </done>
</search>

In your chart, you are going to have a line like this...

<option name="charting.backgroundColor">$myColorToken$</option>

The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set> command with your color values and seeing that the backgroundColor option is working, and so on.


Unfortunately, trellis is a bit of a blunt instrument at the moment. I can see a way to do this with singles, but not timecharts.

Paging @niketnilay...

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

With a normal chart, it would be easy enough. You'd do a post process search to calculate the lowest value and on <done> set a background color based on that.

Updated with more details as per request...

In your SPL, you will do something like this

<search id="whatever">
    <query>
     ... your search stuff...
     | timechart span=1h count as mycount
    </query>
</search>

Elsewhere, you will have another search that uses that one as its base

<search base="whatever">
    <query>
    | stats min(mycount) as mincount
    </query>
     <done>
      <eval token="myColorToken">if($result.minfoo$&lt;=0,"red","green")</eval>
    </done>
</search>

In your chart, you are going to have a line like this...

<option name="charting.backgroundColor">$myColorToken$</option>

The above is all aircode, but should be reasonably close. You can test each chunk by hardcoding, such as hardcoding a <set> command with your color values and seeing that the backgroundColor option is working, and so on.


Unfortunately, trellis is a bit of a blunt instrument at the moment. I can see a way to do this with singles, but not timecharts.

Paging @niketnilay...

DEAD_BEEF
Builder

Thank you @DalJeanis! Just needed to encode the "<" but otherwise it worked perfectly. First time for me using these tags, learning new SPL everyday.

DalJeanis
SplunkTrust
SplunkTrust

Ah, yes. updated < to &lt;.

0 Karma

niketn
Legend

😄 I will keep quiet if this works straight-forward with several charts powered by individual queries. <condition match="$job.resultCount$==0"> (i.e. to capture Search returned no results) can also be used with <done> and <progress> Search Event Handlers to achieve same results to set background color of the chart!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Yes, but I couldn't type that one as aircode, and didn't want to take the time to google the exact capitalization...

0 Karma

DEAD_BEEF
Builder

Hi @DalJeanis I think I can break up the SPL query into individual searches to avoid using trellis. Can you give me an example of how to do it with a "normal chart"? Then I can try implementing it via <done> as you mentioned?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...