Splunk Search

Best way to highlight a table row that has been updated in the last N minutes

gregbujak
Path Finder

Im trying to figure out the best approach to using css(?) to highlight a row that has been updated in the last number of minutes. Specifically this is around order processing. These orders have a lifecycle that they go through until they are complete. I want to highlight the order (row) that has been changed.

Tags (3)
1 Solution

aholzer
Motivator

You'll have to combine CSS with some advanced xml / Sideview Utils and some search manipulation. If you are using Sideview Utils (recommended), you can use the param "rowClass" from the Table module to set a tag that you will use in your CSS.

Let's take this step by step:
1) Your search - You'll need a field that contains a flag to highlight or not depending on when the event occurred compared to the current time. Note you want to use time() rather than now() specially if you are using real-time searches. I've selected 5 minutes as the time frame to highlight the events for, but by changing the 5 below you can select however many minutes you need.

... | eval flash_time_css = if(time() - _time < 60 * 5, "FLASHYES", "FLASHNO")

2) Now that we have the flag, you can use it in your dashboard xml to create a rowClass entry in your Table module. I would also suggest using the hiddenFields parameter from the Table module to avoid displaying this flag. Something like this:

<module name="Table">
  <param name="hiddenFields">flash_time_css</param>
  <param name="rowClass">$row.fields.flash_time_css$</param>
</module>

3) Lastly your CSS. You have now set the "class" for your "tr" tags, and you should define an entry to change the highlight. I've chosen to highlight the appropriate rows with a background of yellow for my example.

tr.FLASHYES td{
background-color:yellow;
}

Important note: If you created the css as part of these steps, you'll need to restart Splunk for it to pick it up. If, however, the css already existed, all you need to do is refresh the dashboard so that it picks it up.

Good luck!

View solution in original post

gregbujak
Path Finder

@aholzer

Awesome. This looks great and it will get me through the current jam. I suspect that there has got to be a better approach with css then using the full class but you get a cookie (but I do have more cookies to give out).

0 Karma

aholzer
Motivator

You'll have to combine CSS with some advanced xml / Sideview Utils and some search manipulation. If you are using Sideview Utils (recommended), you can use the param "rowClass" from the Table module to set a tag that you will use in your CSS.

Let's take this step by step:
1) Your search - You'll need a field that contains a flag to highlight or not depending on when the event occurred compared to the current time. Note you want to use time() rather than now() specially if you are using real-time searches. I've selected 5 minutes as the time frame to highlight the events for, but by changing the 5 below you can select however many minutes you need.

... | eval flash_time_css = if(time() - _time < 60 * 5, "FLASHYES", "FLASHNO")

2) Now that we have the flag, you can use it in your dashboard xml to create a rowClass entry in your Table module. I would also suggest using the hiddenFields parameter from the Table module to avoid displaying this flag. Something like this:

<module name="Table">
  <param name="hiddenFields">flash_time_css</param>
  <param name="rowClass">$row.fields.flash_time_css$</param>
</module>

3) Lastly your CSS. You have now set the "class" for your "tr" tags, and you should define an entry to change the highlight. I've chosen to highlight the appropriate rows with a background of yellow for my example.

tr.FLASHYES td{
background-color:yellow;
}

Important note: If you created the css as part of these steps, you'll need to restart Splunk for it to pick it up. If, however, the css already existed, all you need to do is refresh the dashboard so that it picks it up.

Good luck!

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...