Building for the Splunk Platform

Change Colors of Bar based on legend

qbolbk59
Path Finder

It's a simple query. I am just trying to give different color to different legends in my bar graph. below is the XML

<dashboard>
  <label>Incident Review Dashboard_new</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>| datamodel Incident_Management Notable_Events search | stats count by severity </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">1</option>
        <option name="charting.axisY2.maximumNumber">200</option>
        <option name="charting.axisY2.minimumNumber">100</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.overlayFields">low,high,severe,medium</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.labels">[low,medium,high,severe]</option>
        <option name="charting.legend.placement">none</option>
        <option name="charting.seriesColors">[oxffbf00,0xFF0000,0xFFFF00,0x00FF00]</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

But in the dashboard, it's giving just one color to all bars i.e., the color code "0x40ff00". I think it's probably because in the bar chart the there's just one legend i.e., "count". Can somebody help how can i sort this out. I want color in the following format to the bars

high-orange
severe-red
low-green
medium-blue

Tags (1)
0 Karma
1 Solution

@qbolbk59, Provided the severity field as per your query has values severe, high, medium and low, you can use the transpose command to invert the table as per your need to have legends based on severity field values:

| datamodel Incident_Management Notable_Events search 
| stats count by severity
| transpose header_field=severity column_name=severity

Based on the colors as required in the question following color hex codes can be applied using chart configuration charting.fieldColors:

<option name="charting.fieldColors">{severe":0xFF0000,"high":0xFFA500,""medium":0x0000FF,"low":0x00FF00}</option>

PS: Get rid of chart configuration options which are not required and may be contradicting like charting.seriesColorsand charting.legend.labels.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

@qbolbk59, Provided the severity field as per your query has values severe, high, medium and low, you can use the transpose command to invert the table as per your need to have legends based on severity field values:

| datamodel Incident_Management Notable_Events search 
| stats count by severity
| transpose header_field=severity column_name=severity

Based on the colors as required in the question following color hex codes can be applied using chart configuration charting.fieldColors:

<option name="charting.fieldColors">{severe":0xFF0000,"high":0xFFA500,""medium":0x0000FF,"low":0x00FF00}</option>

PS: Get rid of chart configuration options which are not required and may be contradicting like charting.seriesColorsand charting.legend.labels.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

qbolbk59
Path Finder

Thanks @niketnilay, It's working now !!

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...