In this post we show you how you can set the single value visualisation colours from values in your data. This is useful if you want to add some ITSI KPIs to a normal Splunk dashboard.

The search below can be used to provide both the KPI value to display (alert_value) and the colour (alert_color) – substitute <<insert_kpi_id>> with a KPI ID from your environment.

index="itsi_summary" indexed_itsi_kpi_id::<<insert_kpi_id>> (indexed_is_service_aggregate::1 AND indexed_is_service_max_severity_event::0) 
| timechart cont=false latest(alert_value) AS alert_value, latest(alert_color) AS alert_color

Run the search then choose Save As – New Dashboard.

Dashboard Studio

Choose to use Dashboard Studio to build your dashboard:

screenshot - saving a panel to a new dashboard
Choose Dashboard Studio

The default setup will produce something like this:

SIngle Value Visualisation Screenshot
Default Single Value Setup

The “Coloring” options in the dashboard studio allows for colours to be set, but you cannot currently choose a field to set the colour from in the dashboard studio UI. In order to set the colour from a field in the data we need to get into the code.

colour options in the Splunk Dashboard Studio
Colour options in the Dashboard Studio

Coding the Colour Changes

Much like some of the more advanced customisations that you would do on a SimpleXML dashboard we perform the setup in the options on the visualisation. Add the highlighted line as shown below.

screenshot of code to set SIngle Value Visualisation Colours
Setting the majorColor option on the single value visualisation

This now colours the KPI value to match the “alert_color” field in the data, as shown below:

Screenshot showing SIngle Value Visualisation Colours
Single value visualisation using colour from a field in the data

If we want to set the background to match the alert_color then we can instead use the following option:

"backgroundColor": "> primary | seriesByName(\"alert_color\") | lastPoint()"

This results in the following visualisation:

Screenshot showing SIngle Value Visualisation background Colours
Single value visualisation with the background colour set from a field in the data

Other Options

All of the various options are documented here. In the third single value visualisation below we have switched on the showSparklineAreaGraph option.

Screenshot showing three options on SIngle Value Visualisation Colours
Single Value visualisations

Summary

Using ITSI KPIs in your Splunk Core dashboards is efficient and provides consistency. Using the method highlighted above you can ensure the the colour of a single value visualisation mirrors the current alert_color of the KPI.

Take a look at this post for other dashboard colour tips.

For 2021 we’ve committed to posting a new Splunk tip every week!

If you want to keep up to date on tips like the one above then sign up below:

Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.

Subscribe

* indicates required
Posted by:Stuart Robertson

Stuart Robertson is the Consulting Director at iDelta. He is one of the initial founders of iDelta and has worked there since formation in 2001. Stuart holds various certifications in Core Splunk and ITSI. Stuart also holds a Bsc(Hons) in Computing Science from the University of Glasgow.

One thought on “Dashboard Studio – Single Value Visualisation Colours

  1. Pingback: ITSI Summary Metrics Index - iDelta

Comments are closed.