- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- single value not changing colour
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
single value not changing colour
following not displaying colour within the form.
If search finds events between 3012 - 3054, display Warning in Yellow (i.e elevated).
If I search and view as elevated, its displays the count of events in Yellow. But this is not working in form.
HV-test
<single>
<title>HV Err</title>
<searchString>index =xxx Type!=Information (EventCode>="3012" AND EventCode<="3054") | stats count | appendpipe [ stats count | eval Status="No Errors" | where count==0 ] | eval Status=if(count==0,"No Errors","Warning") | eval range = if(Status=="No Errors","low","elevated")</searchString>
<earliestTime>-7d@h</earliestTime>
<latestTime>now</latestTime>
<option name="list.wrap">1</option>
<option name="classField">range</option>
<option name="field">Status</option>
</single>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get the Status Indicator app - it will allow you to do single value text with colors and icons. There are examples in the Dashboard Examples app by Splunk.
,A better way to go is to get the 'Status Indicator' app. Think of it as a super-powered single value visualization. I did the same thing with it and it includes the capacity to add an icon based on output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should work. I made a code similar to yours, with forms inputs, and that works very well. Take a look at it.
<form>
<label>single_value_changing_color</label>
<description/>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time" searchWhenChanged="true">
<label/>
<default>
<earliestTime>0</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
<input type="dropdown" token="action" searchWhenChanged="true">
<label>Choose one action</label>
<choice value="*">All</choice>
<populatingSearch fieldForLabel="action" fieldForValue="action">index=_audit|stats count by action|sort action</populatingSearch>
<default>change_own_password</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>HV Err</title>
<searchString>index=_audit action=$action$ | stats count by user | appendpipe [stats sum(count) as count | eval Status = "LESS THANT 20"|where count<20]|sort action| eval Status=if(count<20,"LESS THANT 20","MORE THAN 20") | eval range = if(Status=="LESS THANT 20","low","elevated")</searchString>
<earliestTime>$time.earliest$</earliestTime>
<latestTime>$time.latest$</latestTime>
<option name="list.wrap">1</option>
<option name="classField">range</option>
<option name="field">Status</option>
<option name="linkView">search</option>
<option name="drilldown">none</option>
</single>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Taking that panel XML works for me, the text is displayed as green if the count is zero and yellow otherwise.
Are there any CSS messages logged in your browser's console?
Does the app of that dashboard contain any CSS customization?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
