Define Single Value Trellis Visualization Color Based On Non-Numeric Field
We all know that we can specify color in single value trellis visualization based on the count or numeric field, based on numeric ranges we can define color. Today we will try to assign a color in single value trellis visualization based on non-numeric values.
Let’s try to understand the use case,
Here we have a query like this.
index=_internal | stats count by log_level
Where we are fetching counts of the “log_level” field from _internal index.
Now if we change the visualization into a single value trellis it will look like this.
Now based on the “log_level” field we will try to change the color here. For INFO it will be Green, for WARN it will be Yellow and for ERROR it will be Red.
NOTE: "Rangemap" command is generally used to categorize numeric fields, it will add a new field called “range”. But we can use “rangemap” to define color also in the visualization.
Now our modified query will look like this,
index=_internal | stats count by log_level | eval color=case(log_level="INFO","1",log_level="WARN","5",log_level="ERROR","10") | rangemap field=color low=1-4 elevated=5-9 severe=10-14
Where we are fetching counts of the “log_level” field from _internal index. After that using the Eval command we created a field called “color” with a condition that, if “log_level” is equal to INFO, WARN, and ERROR then it will return 1,5 and 10 respectively. Then using the “rangemap” command created a field called “range”, with a specified range i.e. within 1-5 it will be low (whose default color is green), within 5-9 it will be elevated(yellow) and within 10-14 it will be severe(red).
Happy Splunking !!!