If you are using a table to display critical information and you want a quick way to draw the users’ attention to a particular field, you can of course use colour highlighting. But, for a more eye-catching option, maybe you want to include a little icon of an ⚠ī¸ alert triangle, a ✅ nice green tick, or maybe even a đŸ”Ĩ flame if everything has gone wrong!

Normally, adding images to your visualisations involves working with css and js, which can be a complex task. However, unicode characters are supported in Splunk, and emoji are unicode characters. This means that you can easily add emoji to your visualisations! Obviously, we encourage you to keep it simple and professional, but this trick should work for any emoji you can think of – of course, browsers may not support the most recent emoji releases, but the classics are widely supported.

There are several ways you might want to include these icons. For example, you might want to use an eval statement to associate an icon with a certain value. Maybe you have logs that contain a statement relating to severity – it would be easy to use emoji to distinguish between, say, ℹī¸ info or a 🚨 warning message using the following eval statement:

...
| eval icon=case(level="WARN","🚨 ", level="INFO", "ℹī¸ ", true(),"") 
...

Another way you can use emoji in Splunk is in the rangemap command, which allows you to set an icon for a range of numerical values. In the below example, the emoji are used to provide a visual indication of the temperature in a given room:

...
| rangemap field=temperature đŸĨļ=0-18 🆗 =18-21 default=đŸ”Ĩ
...
Which rooms are too hot or too cold?

Because this is a bit of a hacky method, you should be aware that this can make the text cursor in the SPL editor appear out of line, so make sure it is on a line of its own in the search command to minimise confusion (use shift+enter to insert a line break).

Browser differences in handling emoji can result in icons rendering unexpectedly, so be sure to check it in the environment you are intending for it to be viewed in. But if you want a quick way to add a bit of visual impact to a dashboard, this will certainly grab some attention!


For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required
Posted by:Becky Nielsen

Becky is a certified Splunk Admin, who has been working for iDelta since graduating from CodeClan's Professional Software Development course in 2019. Previously an archivist at several institutions around the UK, she holds an MSc in Information Management and Preservation from the University of Glasgow.