The single value view in Splunk uses to replace numeric values with text

stay splunk Of single value In the view , Before, we used to display colors directly according to values , That is to say single value What value is used in , Then the color setting is displayed according to this value , In other words , The value of this display must be the value of setting color rules . In some cases, we may just want to show the name of an indicator , Then set the color according to the value of this indicator , That is to say, change the original display value to display indicator name , Do not show specific values , But still set the color with this value .

In this case , Our implementation idea is to show by value , Finally, replace this value with the index name （ Text ）.

Suppose the original situation is like this , When grade Greater than 60 Green when , Less than or equal to 60 when , Show red , Note that our view in this building is based on grade Set the color with the value of , And will grade Show the value of ：

| makeresults
| eval grade="37"
| table grade

  What we need to achieve now is , Change the displayed value into the indicator name / Text , The color rules remain the same .

If we use replace Replace the final displayed value , So use " Format " The color rules set in will naturally become invalid , because " Format " The rule in is spl It will take effect after the execution , Take a look at this test ：

| makeresults
| eval grade="37"
| table grade
| replace "37" with "Student Grade" in grade

  Because the final value is replaced by text , Therefore, the rule setting of this numerical type is invalid , The final display is gray .

therefore , The method we need to use is to use Splunk An official one rangemap To help us set the color , And then again replace Text , The implementation method is as follows ：

| makeresults
| eval grade="37"
| rangemap field=grade low=61-100 severe=0-60 default=gray
# here low and severe They correspond to green and red respectively , This is a Splunk The official default configuration , You can refer to other use cases in official documents .
# If the color rule you want to set is a specific value rather than a range , Then you can set it to - The values before and after are the same , Set it to the value you want to define . Such as ：| rangemap field=grade low=60-60 severe=100-100 default=gray

At this time, you need to pay attention to " Format " Disable the color in , Because we are through spl Inside rangemap To set the color .

  After setting the color , Start replacing displayed values ：

| makeresults
| eval grade="87"
| rangemap field=grade low=61-100 severe=0-60 default=gray
| replace "87" with "Student Grade" in grade
#replace The next first parameter is the replaced value ,with Followed by the replaced value ,in The next one is to replace the value in which field 

  At this point, the value displayed in the view becomes a custom text , It has nothing to do with the value behind the color setting , It should be noted that replace The latter value is only when grade The value of the field is "87" Will be replaced when , Otherwise, it will not be replaced .

  Here I'm just an example of value substitution , But in practice replace The value of may vary , So we need to adjust the logic according to the business .

That's through rangemap and replace Realization single value Replace the display value in , For more use cases, please refer to the official documents ：

rangemap - Splunk Documentation