Colorize your world…or at least your Splunk results. | Splunk

I uncharacteristically spent more than a few minutes last weekend writing up and testing a response for Splunk>Answers, and after addressing it in last week’s podcast, I thought I should cover it further in a blog post.

The title theme of our SplunkTalk podcast last week was the Big Event, and we broke down a bunch of dialog on event duration, data classification and ultimately eventtypes.  Notorious Splunk customer Matt Uebel’s question on Answers asked about “color coding” events within the results tables in the UI.

While it’s less complicated than assembling IKEA furniture, it’s not completely intuitive. In any case – you need to do three things, and the first is to define eventtypes for the different events that you want to “colorize”. Here’s an example of eventtypes.conf:

search = sourcetype="your_sourcetype" your_field="Normal"
search = sourcetype="your_sourcetype" your_field="Warning"
search = sourcetype="your_sourcetype" your_field="Critical"

In this example, I’ve created 3 different eventtypes – one for each message type that  may come from a single sourcetype.

Next you’ll need to create an event_renderers.conf file in your app directory. Here’s how I did it for the example above:

eventtype = normal
css_class = EventRendererNormal
eventtype = warning
css_class = EventRendererWarning
eventtype = critical
css_class = EventRendererCritical

Finally, modify the CSS classes in application.css to map to the event renderers:

.EventsViewer .splEvent-EventRendererNormal .event
{ color: green; }
.EventsViewer .splEvent-EventRendererWarning .event
{ color: yellow; }
.EventsViewer .splEvent-EventRendererCritical .event
{ color: red; }

The other guidance I suggest for working with our UI development: use Firefox and the FireBug plug-in. It often becomes difficult to debug the CSS and seeing the inheritance visually makes all the difference while slogging through the bigger files.

We’ll address more on UI development on the SplunkTalk podcasts in the future – and look for additional entries on Splunkbase coming soon.

Jeffery Blake

Posted by