All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Coloring Pie Chart created using JSchart in sideview Utils

0waste_splunk
Communicator
‎08-15-2013 12:54 PM

I create a piechart that has these results in tabular form.

Type              count

1 Very High    140

2 Not rated    14

3 Medium      20

4 Low            25

5 High           200

It has 5 values, Very High, Not Rated, Medium, Low, High.
In the above example, I would like to color it so that Not rated is green, Very High is pink, Medium is yellow, Low is grey and High is Red

I have tried different method to color

<module name="HiddenChartFormatter">
  <param name="chart">pie</param>
  <param name="charting.fieldColors">"HIGH":0xFF0000,"MEDIUM":0xFFFF00,"LOW":0x545454",VERY-HIGH":0xFF8300,"NOT_RATED":0x00FF00}</param>

Above code does not work with JSChart on Pie chart.

<module name="HiddenChartFormatter">
  <param name="charting.legend.labels">[High, Medium, Low, Very High, Not rated]</param>
  <param name="charting.seriesColors">[0xFF0000,0xFFFF00,0x545454",0xFF8300,0x00FF00]</param>

seriesColors does not tie a color to a value, so in the above piechart if any value missing will mess up whole color in the piechart.

Note: Not all the time these 5 value is present for specific case.

Am I doing something wrong?

Reply

0waste_splunk
Communicator
‎08-15-2013 02:06 PM

@nick,

Thanks for prompt response.

My piechart itself generated from postProcess module. and when i append the query code to my postprocess it didn't display anything.

also I don't want any value to show up on the piechart if it has 0 value.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎08-15-2013 01:18 PM

It's a shortcoming in JSChart, in that JSChart doesn't implement the fieldColors property.

as a result, you need to do two things.

1) On the charting param side, you need to have both the charting.seriesColors key and the charting.legend.labels key set. (You have already figured this part out)

<param name="charting.seriesColors">[0xFF0000,0xFFFF00,0x545454",0xFF8300,0x00FF00]</param>
<param name="charting.legend.labels">[Info, Low, Medium, High, Critical, Fatal]</param>

2) on the search language side, to prevent any of the categories from ever dissappearing from the results, add the following search syntax. You can either tack it onto the end of your existing search, or have it present as a postProcess search. This extra piece of search language will ensure that all 6 categories are always present even if the counts for them are 0.

| append [| stats count | eval Type=split("High,Medium,Low,Very High,Not rated",",") | mvexpand Type] | stats sum(count) as count by Type

Note: this topic has come up a couple times before, although never afaik with a comprehensive answer: http://answers.splunk.com/answers/84459/colouring-piecharts-created-using-jschart

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...