Spread our blog

Dynamically change sparkline color based on condition

Today we will dive into “Sparkline Coloring”.

Sparklines are inline charts that appear within table cells in search results. and are designed to display time-based trends associated with the form of the sparkline.

Example 1:

So, in the first example, we will try to investigate the basic sparkline in Splunk. Then we will move into our original topic. If you already know about sparklines in Splunk, then you can skip this example.

index=_internal 
| stats sparkline count by sourcetype

Result:

Explanation:

Here we have taken _internal index and then, we have used the stats command to fetch counts based on sourcetype and we have used the “sparkline” function to create an extra field called “sparkline”. Which is showing trends of count based on time in the form of sparks.

Example 2:

I hope we people all understand to use sparkline in an in-line table. Now we will discuss our original use case, which is based on certain conditions we will try to change the sparkline color.

As you have seen from the previous example, the default sparkline comes with green color. Now suppose we have data like this:

index="server"
|stats sparkline latest(status) as status latest(_time) as _time by server

Here we are getting the latest server status with server names and time and a sparkline. Now based on the “status” field we want to change the color of the sparkline. I.e. if it is “UP” the color will be green and in the case of “DOWN”, it will be red.

You can also know about :  HOW TO SEND SPLUNK ALERT TO YOUR TELEGRAM GROUP CHAT USING TELEGRAM ALERT ACTION APP

First of all, we change our query according to our requirements.

index="server"
|stats sparkline latest(status) as status latest(_time) as _time by server
|eval UP=if(status="UP",'sparkline',NULL)
|eval DOWN=if(status="DOWN",'sparkline',NULL)
|fields - sparkline

Explanation:

Here we have created two fields using eval commands “UP” and “DOWN”. So whenever status is UP, the “UP” field will come with a sparkline, and in case of down status, the “DOWN” field will come with sparkline.

Now go to your dashboard and click on Edit and go to the Source.

And do the following modifications as shown below.

Add these lines to your source code.

<format field="DOWN" type="sparkline">
          <option name="lineColor">#ff0000</option>
</format>
<format field="UP" type="sparkline">
          <option name="lineColor">#008000</option>
</format>

Result:

Now as you can see based on “status” field values sparkline color is changing respectively. i.e. in the case of UP, it is Green and in the case of DOWN, it is Red.

Hope you all have enjoyed this blog ” Dynamically change sparkline color based on condition “.

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
1
+1
+1
1
+1
+1

Spread our blog

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here