https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428432#M28216 <P>Im trying to create bar chart base don table and to color the columns by field that is not part of the table.<BR /> For example:</P> <PRE><CODE>**my_search... | eval risk_order=case(app_risk=="High",0, app_risk=="Critical",1) | stats count as "Logs" by appi_name ,risk_order | sort 10 -risk_order -"Logs" | table appi_name , "Logs"** </CODE></PRE> <P>If I visualize it, I see that every bar as the same color (which is based on field "Logs").<BR /> <STRONG>I would like to change the color of the bar based on app_risk field.</STRONG><BR /> each value of app_risk should use different color.</P> <P>How can I do it?</P> Tue, 28 Aug 2018 08:27:57 GMT shayhibah 2018-08-28T08:27:57Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428432#M28216 <P>Im trying to create bar chart base don table and to color the columns by field that is not part of the table.<BR /> For example:</P> <PRE><CODE>**my_search... | eval risk_order=case(app_risk=="High",0, app_risk=="Critical",1) | stats count as "Logs" by appi_name ,risk_order | sort 10 -risk_order -"Logs" | table appi_name , "Logs"** </CODE></PRE> <P>If I visualize it, I see that every bar as the same color (which is based on field "Logs").<BR /> <STRONG>I would like to change the color of the bar based on app_risk field.</STRONG><BR /> each value of app_risk should use different color.</P> <P>How can I do it?</P> Tue, 28 Aug 2018 08:27:57 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428432#M28216 shayhibah 2018-08-28T08:27:57Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428433#M28217 <P>What is your current output? Can you add mock screenshot of current and expected output?</P> Tue, 28 Aug 2018 08:47:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428433#M28217 niketn 2018-08-28T08:47:32Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428434#M28218 <P>right now it looks like this:<BR /> every appi_name has the same color (which is based on "logs" field)</P> <P><IMG src="https://serving.photos.photobox.com/63538196fb7740356a1322b5c50cc9582308486897bfacfa2b47aafe372624b47afcae1b.jpg" alt="alt text" /></P> <P>expected output will be that the 2 upper bars will be in red and the other in orange (since only the first 2 have app_risk =1)</P> Tue, 28 Aug 2018 08:55:24 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428434#M28218 shayhibah 2018-08-28T08:55:24Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428435#M28219 <P>Hello,</P> <P>You should do 2 things:</P> <P>In the search command, you should add the following: .... |chart count as total by app_risk,risk_order | eval redCount = if(app_risk=="high",total,0) | eval greenCount = if(app_risk=="Critical", total, 0) | fields Age redCount greenCount</P> <P>And then in the xml you should add this option for example in the considered panel : {"redCount":0xFF0000,"greenCount":0x73A550}</P> Tue, 29 Sep 2020 21:02:30 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428435#M28219 mkamal18 2020-09-29T21:02:30Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428436#M28220 <P><STRONG>[UPDATED ANSWER]</STRONG> <BR /> Adding logic for sorting the results</P> <P>1) <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats" target="_blank">streamstats</A> command is used to add serial number column after results are sorted as per need.<BR /> 2) <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConversionFunctions#printf.28.22format.22.2Carguments.29" target="_blank">printf()</A> evaluation function is used to pad with zeros (2 zeros in the example below), to allow string sort of results up-to 2 digits of precision.<BR /> 3) Final pipe with <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#replace.28X.2CY.2CZ.29" target="_blank">replace()</A> evaluation function is used to remove padded serial number from result.</P> <PRE><CODE>index=_internal sourcetype=splunkd log_level IN ("ERROR","WARN") | stats count by component log_level | eval log_level=case(log_level=="ERROR",0,log_level=="WARN",1) | sort 10 - log_level count | streamstats count as sno | eval component=printf("%02d",sno).component | fields - sno | xyseries component log_level count | fillnull value=0 "0","1" | rename "0" as "ERROR" "1" as "WARN" | eval component=replace(component,"^\d+","") </CODE></PRE> <HR /> <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/100240">@shayhibah</a>, your screenshot did not get uploaded (may be you missed hitting the enter key before and after attached image).</P> <P>However, based on your sample code provided you can try the following run anywhere example based on Splunk's _internal index which has <CODE>component</CODE> field instead of <CODE>appi_name</CODE> and <CODE>log_level</CODE> instead of <CODE>app_risk</CODE>. </P> <PRE><CODE>index=_internal sourcetype=splunkd log_level IN ("ERROR","WARN") | stats count by component log_level | eval log_level=case(log_level=="ERROR",0,log_level=="WARN",1) | sort 10 - log_level count | xyseries component log_level count | fillnull value=0 "0","1" | rename "0" as "ERROR" "1" as "WARN" </CODE></PRE> <P>I have used <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries" target="_blank">xyseries</A> command to invert the table to plot results as per requirement. The <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull" target="_blank">fillnull</A> command has been used to place 0 value instead of null. The <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rename" target="_blank">rename</A> command in he final pipe gives the columns a meaningful name i.e. <CODE>ERROR and WARN instead of 0 and 1 respectively</CODE> in the given example.</P> Tue, 29 Sep 2020 21:04:21 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428436#M28220 niketn 2020-09-29T21:04:21Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428437#M28221 <P>Thank you @niketnilay, it works!</P> Tue, 28 Aug 2018 09:38:04 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428437#M28221 shayhibah 2018-08-28T09:38:04Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428438#M28222 <P>@niketnilay <BR /> Right now the data is sorted by alphabetical - the sort isn't working.<BR /> Do you have any idea for this one?</P> Tue, 28 Aug 2018 09:53:50 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428438#M28222 shayhibah 2018-08-28T09:53:50Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428439#M28223 <P>@shayhibah I have updated my answer with the sorting logic. Try out and confirm!</P> Tue, 28 Aug 2018 13:51:14 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428439#M28223 niketn 2018-08-28T13:51:14Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428440#M28224 <P>works perfectly! I appreciate it Niket</P> Tue, 28 Aug 2018 14:21:41 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428440#M28224 shayhibah 2018-08-28T14:21:41Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428441#M28225 <P>Glad it worked... do up vote <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 28 Aug 2018 15:03:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428441#M28225 niketn 2018-08-28T15:03:08Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428442#M28226 <P>This worked great for me. Thanks @niketnilay </P> Mon, 30 Dec 2019 00:55:21 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-a-bar-chart-with-colors-based-on-an-external-field/m-p/428442#M28226 azulgrana 2019-12-30T00:55:21Z