Re: How to set color to result if output is less t...

himanshuqb · ‎11-08-2021

I wan to set color for output of column if it's date matches current or two days before current date.

ITWhisperer · ‎11-08-2021

This sort of question has been answered multiple times - essentially, the technique is to use a multi-value field with a calculated value e.g. based on the dates in the event in your instance, set the colour based on this value and use CSS to hide the multivalue element

How-to-change-table-cell-background-color-depends-on-search

himanshuqb · ‎11-08-2021

The value i want to use is _time or time with %Y%d%m, i checked many posts and found only static values which were used how can we use _time or _time -2.

ITWhisperer · ‎11-08-2021

| eval time=if(relative_time(_time,"@d")=relative_time(now(),"@d"),mvappend(strftime(_time,"%Y-%m-%d"),"today"),if(relative_time(_time,"@d")=relative_time(now(),"-2d@d"),mvappend(strftime(_time,"%Y-%m-%d"),"two days ago"),strftime(_time,"%Y-%m-%d")))

himanshuqb · ‎11-08-2021

Thanks, but i was looking for something which i can use in color option to color anything today or two days before to something. What i'm looking for is how to use

<format type="color" field="time-check"> <colorPalette type="expression">case (like(value,"%_time%"),"#FF5733")</colorPalette> </format>

ITWhisperer · ‎11-08-2021

        <format type="color">
          <colorPalette type="expression">if (relative_time(strptime(value,"%Y%m%d"),"@d")=relative_time(now(),"@d") OR relative_time(strptime(value,"%Y%m%d"),"@d")=relative_time(now(),"-2d@d"),"#FF5733",null())</colorPalette>
        </format>

How to set color to result if output is less than equal to current date

chart

eval

table

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!