Knowledge Management

Change color of group field based on tooltip condition in event timeline viz.

yadavshilpa
New Member

I have columns like Group label Tooltip start in event timeline viz.
Group label Tooltip start
A X No Error 3pm
A Y Error 4pm
B Z No Error 4pm
B X No Error 4pm
C Y Error 3Pm
C Z No Error 3Pm

  • I want to change the color of group field based on the condition of tooltip(if group A has tooltip value like No Error and Error the color should change to Red.) (if group B has tooltip value like No Error and No Error the color of group field should change to Green.)
0 Karma

niketn
Legend

@yadavshilpa what you join Group and Label as single field, then categorical color will be applied based on Tooltip.

| eval "Group - Label"=Group." - ".label
| fields - Group label
| table "Group - Label" Tooltip start

You can alternatively try the Timeline Custom Visualization as well. Following is a run- anywhere example based on the same

<form>
  <label>Timeline Example</label>
  <row>
    <panel depends="$alwaysHideCSSPanel$">
       <html>
           <style>
            div.splunk-timeline-tooltip div.tooltip-meta p,
            div.splunk-timeline-tooltip div.tooltip-inner p.time-span-label{
            color: white !important;
            }
           </style>
       </html>
    </panel>
    <panel>
      <title>Timeline with Categorical Colors</title>
      <viz type="timeline_app.timeline">
        <search>
          <query>| makeresults
| eval data="A X NoError 3pm;A Y Error 4pm;B Z NoError 4pm;B X NoError 4pm;C Y Error 3pm;C Z NoError 3pm;"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval Group=mvindex(data,0),label=mvindex(data,1),Tooltip=mvindex(data,2),start=mvindex(data,3)
| eval Tooltip=case(Tooltip="NoError","No Error",true(),Tooltip)
| eval start_time=strftime(now(),"%Y/%m/%d")." 0".replace(start,"pm",":00:00 PM")
| eval _time=strptime(start_time,"%Y/%m/%d %H:%M:%S %p")
| eval "Group - label"=Group." - ".label
| eval duration=0
| fields - _m*
| fields _time "Group - label" Tooltip duration</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="timeline_app.timeline.axisTimeFormat">MINUTES</option>
        <option name="timeline_app.timeline.colorMode">categorical</option>
        <option name="timeline_app.timeline.maxColor">#DA5C5C</option>
        <option name="timeline_app.timeline.minColor">#FFE8E8</option>
        <option name="timeline_app.timeline.numOfBins">6</option>
        <option name="timeline_app.timeline.tooltipTimeFormat">MINUTES</option>
        <option name="timeline_app.timeline.useColors">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

yadavshilpa
New Member

Hi niketnilay,

Thanks for your response.

if i use | table "Group - Label" Tooltip start , then the error message has been generated stating "Error Rendering Event timeline viz vizualization please include the following fields in the search query Eg: |table group label start end tooltip".

I already have a columns like group label data start end tooltip. The group field color should change to green color if tooltip field is "no error" otherwise "red".

Note: For group field the background color option is not avaialble to change the color. when i inspect the element in google. Can anybody help me out whether backgroud color property is availble for group field in event timeline viz visualization.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...