topic Re: Chart colors by search values in Splunk Search

Chart colors by search values

balcv — Tue, 01 Oct 2019 01:02:21 GMT

I have a column chart showing event counts based on host name from two different indexes:

index="main" OR index="wineventlog" | stats count by host

What I would like to achieve is to be able to show the hosts from the main index in one color and the hosts from wineventlog index as a different color.

I've used something like:

  (index="main" OR index="wineventlog") 
 | chart count as total by host,index
 | eval redCount = if(index=="main",total, 0) 
 | eval greenCount = if(index=="wineventlog", total, 0) 
 | fields host redCount greenCount

However all hosts were returned with a 0 value.

Any suggestions greatly appreciated.

Re: Chart colors by search values

santosh11 — Tue, 01 Oct 2019 01:46:10 GMT

We can use table formatting of colors.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/TableFormatsFormatting

Please check if this helps.

Regards,
Santosh

Re: Chart colors by search values

gcusello — Tue, 01 Oct 2019 09:34:58 GMT

Hi balcv,
try something like this

 (index="main" OR index="wineventlog") 
| stats count(eval(if(index=main,1,0))) AS redCount count(eval(if(index=wineventlog))) AS greeCount BY host
| table host redCount greenCount

Bye.
Giuseppe

Re: Chart colors by search values

kelz — Wed, 30 Sep 2020 02:22:04 GMT

Hi Balcv,

I used index="_internal" since i haven't index="main" on my Splunk environment and just rename it to "index=main". Basically to answer your question, you can manually assign whatever color you want depending on the field name in your search. To do that you need to add new option name parameters for "charting.fieldColors" on your XML Dashboard.

<option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>

Hex color values:
FF0000 = Red
008000= Green

Below is the search string i used.

index="_internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE_internal" AS "main"

Try this full XML Code below so you can see and test it..

<dashboard>
  <label>Column Chart (Manual change color depending on the field name on XML)</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE_internal" AS "main"</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>
        <option name="charting.legend.placement">top</option>
      </chart>
    </panel>
  </row>
</dashboard>

Let me know if this answer your question. Thanks

Kelz

Re: Chart colors by search values

balcv — Tue, 01 Oct 2019 22:01:07 GMT

Thanks @gcusello. Unfortunatley this produced errors in the stats statement telling me the eval statement is invalid. Thanks anyway.

Re: Chart colors by search values

balcv — Tue, 01 Oct 2019 22:01:29 GMT

Will do. Thanks.

Re: Chart colors by search values

balcv — Tue, 01 Oct 2019 22:06:13 GMT

After reviewing the various reposes (thank you all for contributing) and combing various aspects, I have been able to come up with the solution I was after.

 (index="main" OR index="wineventlog") 
    | stats count as total by host,index 
    | eval host=lower(host) 
    | sort host 
    | eval Linux = if(index=="main",total, 0) 
    | eval Windows = if(index=="wineventlog", total, 0) 
    | fields host Linux Windows

This results in a column chart and when altering the formatting to be a stacked column chart and setting the colours

<option name="charting.seriesColors">[0xC53151,0x0066FF]</option>

I have the chart I was after showing the number of events per host with linux hosts in red and windows in blue.

Again, thank you for your contributions.