topic Re: Change the Color based on time in Dashboards & Visualizations

Change the Color based on time

erez10121012 — Fri, 23 Aug 2019 13:08:58 GMT

hi
my dashboard plot event by time. i change the time to look like serial (see image) and i plot 2001 events.

i want to paint by time, for example:
serial 0-199 red.
200-1000 blue.
1001 2001 green.

my search code:

source="tcp:514" 
| streamstats values(_raw) as value  
| makemv value  
| mvexpand value  
| search value<0
| streamstats count AS _time
| rename _time AS serial   
| table  serial value | head 2001

my plot:

thanks

Re: Change the Color based on time

skoelpin — Fri, 23 Aug 2019 14:22:39 GMT

You need to pass _time in your transformation command to give it to chart against time. This can be done using timechart or stats by _time. You should also specify an index

 source="tcp:514" 
 | streamstats values(_raw) as value  
 | makemv value  
 | mvexpand value  
 | timechart count

Re: Change the Color based on time

niketn — Fri, 23 Aug 2019 15:15:57 GMT

@erez10121012 community would be able to assist you better if you can share some sample _raw data values that you have. I am not able to understand why you would have to do streamstats --> makemv --> mvexpand --> then search filter?

However, answering to your original question since you have to color the series based on sequence, try the following run anywhere example which generate 2000 negative values between -80 to -89 and then applied field color by creating series for 1-200, 201-1000 and 1001-2000 as Red, Blue and Green respectively.

Following is the Simple XML code for run anywhere example.

<dashboard>
  <label>Chart with Color based on Sequence</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2000 
| fields - _time 
| streamstats count AS series 
| eval series=printf("%05d",series) 
| eval value=random(), value="-8".substr(value,1,1)
| eval series1=case(series>=1 AND series<200,"1-199 (Red)",
    series>=201 AND series<1000,"201-999 (Blue)",
    series>=1001 AND series<2000,"1001-1999 (Green)") 
| xyseries series series1 value</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.fieldColors">{"1-199 (Red)":0xDC4E41,"201-999 (Blue)":0x006D9C,"1001-1999 (Green)":0x53A051}</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="height">369</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

Re: Change the Color based on time

erez10121012 — Sun, 25 Aug 2019 05:23:02 GMT

thank for the help @ niketnilay
my raw data array of bytes sent from the client to spunk.
i receive the 2001 in one event. {-78 -79 -55 -60 ...}
to plot the data i must to do mvexpand.

about the flow "streamstats --> makemv --> mvexpand --> then search filter"
i dont know exactly why i do it like that, but if you can tell me A rule of thumb what the right order, i would be very grateful to you.

Re: Change the Color based on time

niketn — Sun, 25 Aug 2019 19:15:49 GMT

You may have to check search performance in your stack with ample data. However, instead of

 | streamstats values(_raw) as value  
 | makemv value  
 | mvexpand value  
 | search value<0

Try the following:

| makemv _raw
| eval _raw=mvfilter(_raw<0)
| rename _raw as data 
| mvexpand data

Remaining sample query I have already provided in the example above. If your issue is resolved do accept the answer and up-vote the answer/comment that helped!

Re: Change the Color based on time

erez10121012 — Mon, 26 Aug 2019 05:38:21 GMT

thanks @niketnilay it works 🙂

source="tcp:514"
    | streamstats values(_raw) as value
    | makemv value
    | mvexpand value
    | search value&lt;0
    | rename _time AS series | fields - _time
    | streamstats count AS series
    | eval series=printf("%05d",series)
    | eval series1=case(
    series&gt;=0 AND series&lt;130,"Anomaly (Black)",
    series&gt;=131 AND series&lt;250,"Cell (Blue)",
    series&gt;=250 AND series&lt;999,"Anomaly (Black)",
    series&gt;=1000 AND series&lt;1100,"Cell (Green)",
    series&gt;=1101 AND series&lt;1499,"Anomaly (Black)",
    series&gt;=1550 AND series&lt;1650,"WIFI (Red)",
    series&gt;=1651 AND series&lt;2001,"Anomaly (Black)")
    | xyseries series series1 value| head 2001</query>

Re: Change the Color based on time

niketn — Mon, 26 Aug 2019 05:46:58 GMT

Great. How about the suggestion in your previous query. Did you try the following and compared performance of your current and the new query using Job Inspector?

 | makemv _raw
 | eval _raw=mvfilter(_raw<0)
 | rename _raw as data 
 | mvexpand data