Define Single Value Trellis Visualization Color Based On Non-Numeric Field

Define Single Value Trellis Visualization Color Based On Non-Numeric Field

We all know that we can specify color in single value trellis visualization based on the count or numeric field, based on numeric ranges we can define color. Today we will try to assign a color in single value trellis visualization based on non-numeric values.
Let’s try to understand the use case,
Here we have a query like this.

index=_internal
| stats count by log_level

Where we are fetching counts of the “log_level” field from _internal index.
Now if we change the visualization into a single value trellis it will look like this.


Now based on the “log_level” field we will try to change the color here. For INFO it will be Green, for WARN it will be Yellow and for ERROR it will be Red.
To do this modification we can use JavaScript and CSS but that will be a complicated process. We can implement the same using the “RangeMap” command.

NOTE: "Rangemap" command is generally used to categorize numeric fields, 
it will add a new field called “range”. 
But we can use “rangemap” to define color also in the visualization.

Now our modified query will look like this,

index=_internal
| stats count by log_level
| eval color=case(log_level="INFO","1",log_level="WARN","5",log_level="ERROR","10")
| rangemap field=color low=1-4 elevated=5-9 severe=10-14

Result:

Visualization:


Explanation:
Where we are fetching counts of the “log_level” field from _internal index. After that using the Eval command we created a field called “color” with a condition that, if “log_level” is equal to INFO, WARN, and ERROR then it will return 1,5 and 10 respectively. Then using the “rangemapcommand created a field called “range”, with a specified range i.e. within 1-5 it will be low (whose default color is green), within 5-9 it will be elevated(yellow) and within 10-14 it will be severe(red).

Happy Splunking !!!

You can also know about :  Highlighting the row of two tables with respect to the condition of a single column respectively.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.