Is it possible to use a variable inside a color palette expression using only SimpleXML in Splunk? I have the following field:
myField:
mySearch | eval myField = 100
In Splunk, I have a table. The table returns rows with just numbers (e.g 16,123,644 etc.). Changing the color for these rows based on the value works like this:
Color palette:
<format type="color" field="sourceField">
<colorPalette type="expression">if (value > 100 ,"#df5065","#00FF00")</colorPalette>
</format>
If sourceField is greater than 100, the row with that value is colored RED. Any other value will color the row GREEN. I want to adjust the above piece of code to include the variable myField so that I can change the color based on the variable. I have tried the following:
<format type="color" field="sourceField">
<colorPalette type="expression">if (value > myField ,"#df5065","#00FF00")</colorPalette>
</format>
<format type="color" field="sourceField">
<colorPalette type="expression">if (value > $myField$ ,"#df5065","#00FF00")</colorPalette>
</format>
<format type="color" field="sourceField">
<colorPalette type="expression">if (value > 'myField' ,"#df5065","#00FF00")</colorPalette>
</format>
<format type="color" field="sourceField">
<colorPalette type="expression">if (value > (myField) ,"#df5065","#00FF00")</colorPalette>
</format>
But none of the above work.
Is it possible to include variables in the above color palette expression and if so, how do I do it? Thanks in advance.
CodePudding user response:
To use the results of a search query in your XML, try $results.myField$.
CodePudding user response:
What I did to get it to work:
<format type="color" field="sourceField">
<colorPalette type="expression">if (value > $mytoken$ ) ,"#df5065",default)</colorPalette>
</format>
And :
<done>
<set token="mytoken">$result.myField$</set>
</done>
I also tried (did not work for me) :
<format type="color" field="sourceField">
<colorPalette type="expression">if (value > $result.average$ ) ,"#df5065",default)</colorPalette>
</format>