Dashboards & Visualizations

Need to change the color of bar when one field is greater than other field in bar chart

SathyaNarayanan
Path Finder

Hi ,

I have 2 fields Purchased and allocated , i need to change the color of bar chart(allocated ) when the allocated is greater than Purchased .

Below is my query in bar chart.

index=snowprod sourcetype="snow:license_details" | stats sum(count) As Purchased sum(allocated) by name

Thanks in advance

Tags (1)
0 Karma

SathyaNarayanan
Path Finder

Thank u, its working for me

0 Karma

niketn
Legend

@SathyaNarayanan you can show the

index=snowprod sourcetype="snow:license_details" 
| stats sum(count) As Purchased sum(allocated) as Allocated by name
| eval Difference=Purchased-Allocated 
| eval Breached=case(Difference<0,Allocated), Met= case(Difference>=0,Allocated) 
| fields - Purchased Allocated Difference

The final chart displays Allocated License as Met Or Breached. You can color by field names using charting.fieldColors Simple XML chart configuration as Green and Red respectively:

<option name="charting.fieldColors">{"Met":0x65a637,"Breached":0xd93f3c}</option>

Please try out and confirm. If you need a different output please add more details for required output.

PS: If you are on Splunk Enterprise 7.0 or higher and you want to plot the breached information over a timechart you can also consider Event Annotation

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SathyaNarayanan
Path Finder

As i want to show the purchased count and allocated count for name, it needs to be shows.

we also want to know which name allocation has crossed the purchased.

index=snowprod sourcetype="snow:license_details" | stats sum(count) As Purchased sum(allocated) by name

0 Karma

niketn
Legend

@SathyaNarayanan,

As i want to show the purchased count and allocated count for name : Yes this is possible with above approach.

we also want to know which name allocation has crossed the purchased.: Can you color based on Allocation Crossed Purchased alone? Then it would be simple and possible directly through Splunk UI if you are on version 6.5 or higher.

index=snowprod sourcetype="snow:license_details" 
| stats sum(count) As Purchased sum(allocated) by name
| eval Status=if(Allocated>Purchased,"Breached","Met")

Then you can color Status Column using UI Edit option. You can also apply Splunk JS and CSS based color to row using Status field. Refer to this older post from me: https://answers.splunk.com/answers/588394/change-the-color-of-rows-in-a-table-based-on-text-1.html

You can download Splunk Dashboard Examples App to get several such examples and understand the code.

Also have you by any chance tried the other answer for coloring Chart based on Breached Or Met for your other question: https://answers.splunk.com/answers/669772/need-to-change-the-color-of-bar-when-one-field-is.html?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SathyaNarayanan
Path Finder

Thank you @niketnilay, its working fine for me

0 Karma

niketn
Legend

@SathyaNarayanan, do accept/upvote the answer if your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SathyaNarayanan
Path Finder

Still working on the other questions

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...