Dashboards & Visualizations

Change the Color based on time

erez10121012
Path Finder

hi
my dashboard plot event by time. i change the time to look like serial (see image) and i plot 2001 events.

i want to paint by time, for example:
serial 0-199 red.
200-1000 blue.
1001 2001 green.

my search code:

source="tcp:514" 
| streamstats values(_raw) as value  
| makemv value  
| mvexpand value  
| search value<0
| streamstats count AS _time
| rename _time AS serial   
| table  serial value | head 2001

my plot:
alt text
thanks

0 Karma
1 Solution

niketn
Legend

@erez10121012 community would be able to assist you better if you can share some sample _raw data values that you have. I am not able to understand why you would have to do streamstats --> makemv --> mvexpand --> then search filter?

However, answering to your original question since you have to color the series based on sequence, try the following run anywhere example which generate 2000 negative values between -80 to -89 and then applied field color by creating series for 1-200, 201-1000 and 1001-2000 as Red, Blue and Green respectively.

alt text

Following is the Simple XML code for run anywhere example.

<dashboard>
  <label>Chart with Color based on Sequence</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2000 
| fields - _time 
| streamstats count AS series 
| eval series=printf("%05d",series) 
| eval value=random(), value="-8".substr(value,1,1)
| eval series1=case(series>=1 AND series<200,"1-199 (Red)",
    series>=201 AND series<1000,"201-999 (Blue)",
    series>=1001 AND series<2000,"1001-1999 (Green)") 
| xyseries series series1 value</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.fieldColors">{"1-199 (Red)":0xDC4E41,"201-999 (Blue)":0x006D9C,"1001-1999 (Green)":0x53A051}</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="height">369</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@erez10121012 community would be able to assist you better if you can share some sample _raw data values that you have. I am not able to understand why you would have to do streamstats --> makemv --> mvexpand --> then search filter?

However, answering to your original question since you have to color the series based on sequence, try the following run anywhere example which generate 2000 negative values between -80 to -89 and then applied field color by creating series for 1-200, 201-1000 and 1001-2000 as Red, Blue and Green respectively.

alt text

Following is the Simple XML code for run anywhere example.

<dashboard>
  <label>Chart with Color based on Sequence</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults count=2000 
| fields - _time 
| streamstats count AS series 
| eval series=printf("%05d",series) 
| eval value=random(), value="-8".substr(value,1,1)
| eval series1=case(series>=1 AND series<200,"1-199 (Red)",
    series>=201 AND series<1000,"201-999 (Blue)",
    series>=1001 AND series<2000,"1001-1999 (Green)") 
| xyseries series series1 value</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.fieldColors">{"1-199 (Red)":0xDC4E41,"201-999 (Blue)":0x006D9C,"1001-1999 (Green)":0x53A051}</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="height">369</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

erez10121012
Path Finder

thanks @niketnilay it works 🙂

source="tcp:514"
    | streamstats values(_raw) as value
    | makemv value
    | mvexpand value
    | search value&lt;0
    | rename _time AS series | fields - _time
    | streamstats count AS series
    | eval series=printf("%05d",series)
    | eval series1=case(
    series&gt;=0 AND series&lt;130,"Anomaly (Black)",
    series&gt;=131 AND series&lt;250,"Cell (Blue)",
    series&gt;=250 AND series&lt;999,"Anomaly (Black)",
    series&gt;=1000 AND series&lt;1100,"Cell (Green)",
    series&gt;=1101 AND series&lt;1499,"Anomaly (Black)",
    series&gt;=1550 AND series&lt;1650,"WIFI (Red)",
    series&gt;=1651 AND series&lt;2001,"Anomaly (Black)")
    | xyseries series series1 value| head 2001</query>

niketn
Legend

Great. How about the suggestion in your previous query. Did you try the following and compared performance of your current and the new query using Job Inspector?

 | makemv _raw
 | eval _raw=mvfilter(_raw<0)
 | rename _raw as data 
 | mvexpand data
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

erez10121012
Path Finder

thank for the help @ niketnilay
my raw data array of bytes sent from the client to spunk.
i receive the 2001 in one event. {-78 -79 -55 -60 ...}
to plot the data i must to do mvexpand.

about the flow "streamstats --> makemv --> mvexpand --> then search filter"
i dont know exactly why i do it like that, but if you can tell me A rule of thumb what the right order, i would be very grateful to you.

0 Karma

niketn
Legend

You may have to check search performance in your stack with ample data. However, instead of

 | streamstats values(_raw) as value  
 | makemv value  
 | mvexpand value  
 | search value<0

Try the following:

| makemv _raw
| eval _raw=mvfilter(_raw<0)
| rename _raw as data 
| mvexpand data

Remaining sample query I have already provided in the example above. If your issue is resolved do accept the answer and up-vote the answer/comment that helped!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You need to pass _time in your transformation command to give it to chart against time. This can be done using timechart or stats by _time. You should also specify an index

 source="tcp:514" 
 | streamstats values(_raw) as value  
 | makemv value  
 | mvexpand value  
 | timechart count 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...