All Apps and Add-ons

Automatic Simple XML Dashboard: Is it possible to substitute numeric data value in a cell to a non-numeric value?

ozman2112
Explorer

I'm not a dashboard expert however, from a search I have the following setup:

| rex field=msg.Properties..FileName "(?[\w-]+\.apm)" 
| eval EventName='msg.Properties..EventType'
| search Filename 
| chart count over Filename by EventName

This gives me results like:
Filename Moved FileError Validated Sent ValidationError
1bc71199.apm 1 1 1 2 0
43bd3399.apm 1 1 1 2 1

Is it possible to change the 0s, 1s and 2s to other values? Like maybe a TimeStamp or Checkmark or basically something that isn't a number?

Also, maybe I shouldn't be using a CHART for summary (but my users like the data representation) but please tell me if I'm doing that wrong too! Are stats the better option? Thanks!

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @ozman2112,

You can do both. If you want to replace the number by specific words you can use a conditionaleval expression and simply replace any occurrence of 0,1 or 2 with a specific word.

You can also replace them with checkmarks if needed using javascript. You can find some examples of that in this app here :
https://splunkbase.splunk.com/app/1603/
Also check this out for including icons within a table :
https://answers.splunk.com/answers/345025/simple-xml-dashboard-examples-how-to-add-a-new-ico.html

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @ozman2112,

You can do both. If you want to replace the number by specific words you can use a conditionaleval expression and simply replace any occurrence of 0,1 or 2 with a specific word.

You can also replace them with checkmarks if needed using javascript. You can find some examples of that in this app here :
https://splunkbase.splunk.com/app/1603/
Also check this out for including icons within a table :
https://answers.splunk.com/answers/345025/simple-xml-dashboard-examples-how-to-add-a-new-ico.html

Cheers,
David

ozman2112
Explorer

OK, sounds simple enough:

| eval EventName='msg.Properties.EventType'
| search Filename
| chart count(eval(if(EventName="1", "one","is not one"))) over Filename by EventName

None of the "1"s in the chart were replaced. They remained the same. Is there an equality issue?

0 Karma

DavidHourani
Super Champion

I meant an eval in a line right after the chart. Try something like this instead, it's easier :

    ... | replace 0 WITH iszero, 1 WITH isone,2 WITH istwo IN Moved

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace

And to apply it to all fields you can simply do this :

   ... | foreach * [|replace 0 WITH iszero, 1 WITH isone,2 WITH istwo IN <<FIELD>>]
0 Karma

ozman2112
Explorer

...and thanks for replying on a Saturday! 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...