Building for the Splunk Platform

How to set 2 different colors for 2 different values in the same field dynamically in bar charts ?

shinta_rcm
Explorer
Stage(Field name)
Capa
Capa_india
north_Capa
checkcapaend
NET
net_east
southNETregion
showmeNET
us_net

 

From the field Stage, if the value contains capa 0r Capa I need to color the bar chart as Blue. Otherwise need to show the bar chart color as Orange.

 

Thanks in advance.

Labels (2)
0 Karma

SinghK
Builder
0 Karma

shinta_rcm
Explorer

Thanks a lot for your reply.

The solution that you suggested is for numeric values. But we are working on String values.

<option name="charting.fieldColors">{"%capa%": 0xFF0000, "elevated": 0xFF9900, "low":0x008000}</option>

Is it possible to add wildcards like in the above XML code. If not kindly suggest an alternative approach.

The word "Capa" can occur in any part of the value and in some cases it may not occur too. So, we need a dynamic approach to color a bar of the bar chart.

0 Karma

SinghK
Builder

|makeresults
|eval stage= "Capa Capa_india north_Capa checkcapaend NET net_east"
|makemv stage
|mvexpand stage
|eval stage=lower(stage)
|fields - _time
|eval stagename = if(match(stage,"capa"),1,2)
|chart count by stage stagename

 

try that if that helps..

0 Karma

shinta_rcm
Explorer

Thanks for the reply. We have already 3 fields in the chart command. Not able to add the 4th one in the command.

 

Also, kindly suggest if there is a way to include wildcards in charting.fieldColors, charting.seriesColors or in charting.annotation.categoryColors. This will be very helpful in my case.

0 Karma

SinghK
Builder

Results

SinghK_0-1641390742878.png

 

0 Karma

SinghK
Builder

you can do that in statistical table easy.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...