Dashboards & Visualizations

Change color of column in chart using 2 fields

ddergan
Loves-to-Learn Lots

I have a search query that gives me a count of vulnerabilities broken down by age (in days).  I want to be able to have a different color for each column.  The columns are, in days, 0-30 (light green), 31-60 (orange), 61-90 (light blue), 91-180 (yellow), and Older than 180 (red).  When I use 'charting.seriesColors', all of the columns turn light green.

Search query:

 index=qualys_host_detection TYPE=CONFIRMED ("severity=3" OR "severity=4" OR "severity=5") OS="Windows Server*" OR "Microsoft Windows Server" OR "VMWare" STATUS!=FIXED | dedup QID, HOST_ID | eval firstseen=strptime(FIRST_FOUND_DATETIME, "%Y-%m-%dT%H:%M:%S"), epochnow=now(), duration=round((epochnow-firstseen)/86400,0), days=case(duration<=30, "0-30", duration>30 AND duration<=60, "31-60", duration>60 AND duration<=90, "61-90", duration>90 AND duration<=180, "91-180", duration>180, "Older than 180") | stats count by days

Labels (1)
0 Karma

ddergan
Loves-to-Learn Lots

I can get the colors to change when using the paint brush, but I am still having an issue when it comes to the column chart.  All of the columns change to the first color listed.  The above code for the color pallete did not change anything.

0 Karma

kennetkline
Path Finder

 

Ok, columns (Table) I was thinking Chart.  was late last night

You want to use the paint brush on the Column -> Color -> Values -> Defined Values


Capture.PNG 

 

<format type="color" field="days">
<colorPalette type="map">{"0-30":#B6C75A,"31-60":#F1813F,"61-90":#62B3B2,"91-180":#F8BE34,"Older than 180":#DC4E41}</colorPalette>
</format>

 

0 Karma

ddergan
Loves-to-Learn Lots

Thanks, kennetkline.  I have tried what you have suggested, but it changes all of the columns to the color listed first.  I need to figure out how to change all of the columns to their respective colors.

0 Karma

kennetkline
Path Finder

You can setup your chart item and edit and switch to sources:

You would then put something in like such:

<option name="charting.fieldColors">{"0-30": 0x009900, "31-60": 0xFF6600, "61-90": 0x66CCFF, "91-180": 0xFFFF00, "Older than 180": 0xFF0000}</option>

if you just use an array: (not perferred):

This one is not good (if there are not any matches for certain states of days; you risk colors to be matched to the first entry in the array. not the color you desire;  unless you do some make results stuff to for each state in your output of your search to ensure all states show up 0-30,31-60,61-90,91-180, older than 180.

<option name="charting.seriesColors">[0x009900, 0xFF6600, 0x66CCFF, 0xFFFF00,0xFF000]</option> 


to sample below;  you can use HEX Color editor to pick your preferred Shades of Colors.

 

<panel>
<title>CRITICAL</title>
<chart>
<search>
<query>
index=qualys_host_detection TYPE=CONFIRMED ("severity=3" OR "severity=4" OR "severity=5") OS="Windows Server*" OR "Microsoft Windows Server" OR "VMWare" STATUS!=FIXED | dedup QID, HOST_ID | eval firstseen=strptime(FIRST_FOUND_DATETIME, "%Y-%m-%dT%H:%M:%S"), epochnow=now(), duration=round((epochnow-firstseen)/86400,0), days=case(duration<=30, "0-30", duration>30 AND duration<=60, "31-60", duration>60 AND duration<=90, "61-90", duration>90 AND duration<=180, "91-180", duration>180, "Older than 180") | stats count by days
</query>
</search>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"0-30": 0x009900, "31-60": 0xFF6600, "61-90": 0x66CCFF, "91-180": 0xFFFF00, "Older than 180": 0xFF0000}</option>
</chart>
</panel>

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...