Color a word in a field/Splunk Result

kirti_gupta12 · ‎11-17-2021

I have a Splunk query:

index=my_index cf_app_name=$app_name$ msg!="*Hikari*" $log_type$ | sort -_time | table msg

It populates Splunk with results.

Now, the msg field has log_type as INFO, ERROR, WARNING. Example:

2021-11-17 15:03:34.921  INFO 22 --- [ taskExecutor-1] c.c.p.r.e.EventService            : Event sent to event ID: 2111 - REPRICING has finished

2021-11-16 22:23:54.905 ERROR 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService           : Could not delete file: /-/PCS.P.KSZ4750J.TRIG.FILE - 4: Failure

2021-11-16 22:23:54.905 WARNING 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService           : Could not delete file: /-/PCS.P.KSZ4750J.TRIG.FILE - 4: Failure

Now, My goals is to COLOR the log_type field in the "msg" to Green if it's INFO, Red if it's ERROR, and Yellow if it's WARNING.

I don't want to color the entire msg field, just the words INFO, ERROR and WARNING should be turned to those specific colors.

@scelikok @somesoni2

ITWhisperer · ‎11-17-2021

Assuming you are using the standard table viz, this is not possible; you would need to split the message up into different fields and then just colour the field with the log type in.

Color a word in a field/Splunk Result

fields

regex

stats

subsearch

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...