Archive

How to change bar chart color and the legend label

Path Finder

How do I change a bar chart color base on the syslog severity level. Example: Informational to blue color, warning to yellow color and so on and the legend label base on the syslog severity.

Below is my syslog severity Dashboard

alt text

I want my bar chart to look like the Cisco syslog as below.

alt text

Any help would be appreciate it.

Tags (1)
0 Karma
1 Solution

Path Finder

I got it to work and by follow the link below.

| search vendorId=$vendorId$
| stats count(eval(severity_name="emergency")) as emergency
count(eval(severity_name="alert")) as alert
count(eval(severity_name="critical")) as critical
count(eval(severity_name="error")) as error
count(eval(severity_name="warning")) as warning
count(eval(severity_name="notice")) as notice
count(eval(severity_name="informational")) as informational
count(eval(severity_name="debugging")) as debugging
by severity_name

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Viz/BuildandeditdashboardswithSimplifiedXML#...

https://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartConfigurationReference#Area.2C_Bubble.2C...

View solution in original post

0 Karma

Path Finder

I got it to work and by follow the link below.

| search vendorId=$vendorId$
| stats count(eval(severity_name="emergency")) as emergency
count(eval(severity_name="alert")) as alert
count(eval(severity_name="critical")) as critical
count(eval(severity_name="error")) as error
count(eval(severity_name="warning")) as warning
count(eval(severity_name="notice")) as notice
count(eval(severity_name="informational")) as informational
count(eval(severity_name="debugging")) as debugging
by severity_name

https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Viz/BuildandeditdashboardswithSimplifiedXML#...

https://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartConfigurationReference#Area.2C_Bubble.2C...

View solution in original post

0 Karma

Contributor

Thanks. I believe you might need a second field to split-by to get a similar result. Have you opened and explored the search for the Cisco dashboard you're using as an example?
You might need something like

your search
| <stats or chart> count by fieldX, severity_id
0 Karma

Path Finder

This is my search query

<query>index="main" 

| table sourcetype, host, vendorId, enterpriseId, severity_id, facility, severity_name, _time
| eval Date/Time=_time
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Date/Time)
| search vendorId="WTI"
$time.earliest$
$time.latest$

This is the dashboard panel for syslog severity

  <chart>
    <title>Syslog  Severity Distribution</title>
    <search>
      <query>| search vendorId=$vendorId$ 

| stats count by severity_name
| rename severity_name AS "Severity Name"
-24h@h
now

bar
all
progressbar

0 Karma

Contributor

Could we see what your search looks like?

0 Karma