How do I change a bar chart color base on the syslog severity level. Example: Informational to blue color, warning to yellow color and so on and the legend label base on the syslog severity.
Below is my syslog severity Dashboard
I want my bar chart to look like the Cisco syslog as below.
Any help would be appreciate it.
I got it to work and by follow the link below.
| search vendorId=$vendorId$
| stats count(eval(severity_name="emergency")) as emergency
count(eval(severity_name="alert")) as alert
count(eval(severity_name="critical")) as critical
count(eval(severity_name="error")) as error
count(eval(severity_name="warning")) as warning
count(eval(severity_name="notice")) as notice
count(eval(severity_name="informational")) as informational
count(eval(severity_name="debugging")) as debugging
by severity_name
I got it to work and by follow the link below.
| search vendorId=$vendorId$
| stats count(eval(severity_name="emergency")) as emergency
count(eval(severity_name="alert")) as alert
count(eval(severity_name="critical")) as critical
count(eval(severity_name="error")) as error
count(eval(severity_name="warning")) as warning
count(eval(severity_name="notice")) as notice
count(eval(severity_name="informational")) as informational
count(eval(severity_name="debugging")) as debugging
by severity_name
Thanks. I believe you might need a second field to split-by to get a similar result. Have you opened and explored the search for the Cisco dashboard you're using as an example?
You might need something like
your search
| <stats or chart> count by fieldX, severity_id
This is my search query
<query>index="main"
| table sourcetype, host, vendorId, enterpriseId, severity_id, facility, severity_name, _time
| eval Date/Time=_time
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Date/Time)
| search vendorId="WTI"
This is the dashboard panel for syslog severity
<chart>
<title>Syslog Severity Distribution</title>
<search>
<query>| search vendorId=$vendorId$
| stats count by severity_name
| rename severity_name AS "Severity Name"
bar
all
progressbar
Could we see what your search looks like?