Splunk Search

How to change bar chart color and the legend label

matoulas
Path Finder

How do I change a bar chart color base on the syslog severity level. Example: Informational to blue color, warning to yellow color and so on and the legend label base on the syslog severity.

Below is my syslog severity Dashboard

alt text

I want my bar chart to look like the Cisco syslog as below.

alt text

Any help would be appreciate it.

Tags (1)
0 Karma
1 Solution

matoulas
Path Finder

I got it to work and by follow the link below.

| search vendorId=$vendorId$
| stats count(eval(severity_name="emergency")) as emergency
count(eval(severity_name="alert")) as alert
count(eval(severity_name="critical")) as critical
count(eval(severity_name="error")) as error
count(eval(severity_name="warning")) as warning
count(eval(severity_name="notice")) as notice
count(eval(severity_name="informational")) as informational
count(eval(severity_name="debugging")) as debugging
by severity_name

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Viz/BuildandeditdashboardswithSimplifiedXML#...

https://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartConfigurationReference#Area.2C_Bubble.2C...

View solution in original post

0 Karma

matoulas
Path Finder

I got it to work and by follow the link below.

| search vendorId=$vendorId$
| stats count(eval(severity_name="emergency")) as emergency
count(eval(severity_name="alert")) as alert
count(eval(severity_name="critical")) as critical
count(eval(severity_name="error")) as error
count(eval(severity_name="warning")) as warning
count(eval(severity_name="notice")) as notice
count(eval(severity_name="informational")) as informational
count(eval(severity_name="debugging")) as debugging
by severity_name

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Viz/BuildandeditdashboardswithSimplifiedXML#...

https://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartConfigurationReference#Area.2C_Bubble.2C...

0 Karma

oscar84x
Contributor

Thanks. I believe you might need a second field to split-by to get a similar result. Have you opened and explored the search for the Cisco dashboard you're using as an example?
You might need something like

your search
| <stats or chart> count by fieldX, severity_id
0 Karma

matoulas
Path Finder

This is my search query

<query>index="main" 

| table sourcetype, host, vendorId, enterpriseId, severity_id, facility, severity_name, _time
| eval Date/Time=_time
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Date/Time)
| search vendorId="WTI"
$time.earliest$
$time.latest$

This is the dashboard panel for syslog severity

  <chart>
    <title>Syslog  Severity Distribution</title>
    <search>
      <query>| search vendorId=$vendorId$ 

| stats count by severity_name
| rename severity_name AS "Severity Name"
-24h@h
now

bar
all
progressbar

0 Karma

oscar84x
Contributor

Could we see what your search looks like?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...