topic Re: How to change column colors in a chart based on a duration value? in Splunk Search

How to change column colors in a chart based on a duration value?

briangmadden — Mon, 28 Sep 2020 17:27:06 GMT

I have a search that compares values in two files and comes up with duration it took to process a job.

index=abc sourcetype=abc source=PRD | eval otime=strptime(pub_date,"%Y-%m-%d %H:%M:%S") | join jobid [search index=abc sourcetype=abc_response source=PRD | eval "Response_Status"=status | eval rtime=strptime(comp_date,"%Y-%m-%d %H:%M:%S")] | eval d=rtime-otime | eval Duration=d/60 |table jobid,Duration,| reverse

Jobid is individual and will only appear once. The output is then graphed in dashboard. At the moment all columns in graph are blue. I need the columns to be either green or red depending if duration is greater or less than 15. It should be green if duration < 15 and red if duration > 15

Tried adding additional eval but it throws error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). None of these seem to work for me.

index=abc sourcetype=abc source=PRD | eval otime=strptime(pub_date,"%Y-%m-%d %H:%M:%S") | join jobid [search index=abc sourcetype=abc_response source=PRD | eval "Response_Status"=status | eval rtime=strptime(comp_date,"%Y-%m-%d %H:%M:%S")] | eval d=rtime-otime | eval Duration=d/60 |eval urgent = duration > (15*60) |table jobid,Duration,| reverse

Any help much appreciated.

Re: How to change column colors in a chart based on a duration value?

strive — Mon, 01 Sep 2014 15:23:18 GMT

Check these

http://answers.splunk.com/answers/58335/change-chart-bar-color-based-on-data-value

http://answers.splunk.com/answers/145120/bar-chart-column-color-based-on-value

Re: How to change column colors in a chart based on a duration value?

gpalla91 — Mon, 01 Sep 2014 19:31:41 GMT

Have you tried creating your search in a Pivot, this will easily allow you to configure your graph via different color for different durations.

Re: How to change column colors in a chart based on a duration value?

schatzb — Wed, 03 Sep 2014 17:35:11 GMT

You can split the counts into two different variables and then display them as a stacked bar chart.

    | eval red=Case(count<15,count,count>=15,0) 
    | eval green=Case(count>=15,count,count<15,0)
    | table job_id, red, green

your data will look similar to this

Case|   Count|  Red|    Green|
1       8       8       0
2       1       1       0
3       11      11      0
4       55      0       55
5       44      0       44
6       233     0       233
7       48      0       48
8       10      10      0

Then create a bar chart with both Red and Green and use the charting.fieldColors setting in the XML to designate the colors of each variable

<option name="charting.fieldColors">{"Red":0xFF0000,"Green":0x00FF00}</option>