https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496921#M194716 <P>Thanks. I believe you might need a second field to split-by to get a similar result. Have you opened and explored the search for the Cisco dashboard you're using as an example?<BR /> You might need something like </P> <PRE><CODE>your search | &lt;stats or chart&gt; count by fieldX, severity_id </CODE></PRE> Wed, 04 Dec 2019 21:24:05 GMT oscar84x 2019-12-04T21:24:05Z https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496918#M194713 <P>How do I change a bar chart color base on the syslog severity level. Example: Informational to blue color, warning to yellow color and so on and the legend label base on the syslog severity. </P> <P>Below is my syslog severity Dashboard</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8027i51EB0BB5B400D6A7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I want my bar chart to look like the Cisco syslog as below.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8028i676F0E5C1E4E95A4/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Any help would be appreciate it. </P> Wed, 04 Dec 2019 19:01:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496918#M194713 matoulas 2019-12-04T19:01:07Z https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496919#M194714 <P>Could we see what your search looks like?</P> Wed, 04 Dec 2019 19:20:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496919#M194714 oscar84x 2019-12-04T19:20:30Z https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496920#M194715 <P>This is my search query</P> <PRE><CODE>&lt;query&gt;index="main" </CODE></PRE> <P>| table sourcetype, host, vendorId, enterpriseId, severity_id, facility, severity_name, _time <BR /> | eval Date/Time=_time <BR /> | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Date/Time)<BR /> | search vendorId="WTI"<BR /> <EARLIEST>$time.earliest$</EARLIEST><BR /> <LATEST>$time.latest$</LATEST></P> <P>This is the dashboard panel for syslog severity</P> <PRE><CODE> &lt;chart&gt; &lt;title&gt;Syslog Severity Distribution&lt;/title&gt; &lt;search&gt; &lt;query&gt;| search vendorId=$vendorId$ </CODE></PRE> <P>| stats count by severity_name<BR /> | rename severity_name AS "Severity Name"<BR /> <EARLIEST>-24h@h</EARLIEST><BR /> <LATEST>now</LATEST><BR /> <BR /> bar<BR /> all<BR /> progressbar<BR /> <BR /> </P> Wed, 30 Sep 2020 03:11:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496920#M194715 matoulas 2020-09-30T03:11:17Z https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496921#M194716 <P>Thanks. I believe you might need a second field to split-by to get a similar result. Have you opened and explored the search for the Cisco dashboard you're using as an example?<BR /> You might need something like </P> <PRE><CODE>your search | &lt;stats or chart&gt; count by fieldX, severity_id </CODE></PRE> Wed, 04 Dec 2019 21:24:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496921#M194716 oscar84x 2019-12-04T21:24:05Z https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496922#M194717 <P>I got it to work and by follow the link below.</P> <P>| search vendorId=$vendorId$ <BR /> | stats count(eval(severity_name="emergency")) as emergency<BR /> count(eval(severity_name="alert")) as alert<BR /> count(eval(severity_name="critical")) as critical<BR /> count(eval(severity_name="error")) as error<BR /> count(eval(severity_name="warning")) as warning<BR /> count(eval(severity_name="notice")) as notice<BR /> count(eval(severity_name="informational")) as informational<BR /> count(eval(severity_name="debugging")) as debugging<BR /> by severity_name</P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Viz/BuildandeditdashboardswithSimplifiedXML#Specify_custom_colors_for_fields_in_charts" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Viz/BuildandeditdashboardswithSimplifiedXML#Specify_custom_colors_for_fields_in_charts</A></P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartConfigurationReference#Area.2C_Bubble.2C_Bar.2C_Column.2C_Line.2C_and_Scatter_charts" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartConfigurationReference#Area.2C_Bubble.2C_Bar.2C_Column.2C_Line.2C_and_Scatter_charts</A></P> Wed, 30 Sep 2020 03:21:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-bar-chart-color-and-the-legend-label/m-p/496922#M194717 matoulas 2020-09-30T03:21:18Z