Solved: Changing the color of a bubble plot based on a fie...

CarbonCriterium · ‎08-25-2020

The following search works well enough, but I would like the color of the "bubbles" to be based on sc_status="200" or sc_status!="200"

I still want to show a bubble for all of the cs_uri_stem values. In theory, if every cs_uri_stem has at least one event that is status 200 and at least one event that is something else, this could duplicate the number of rows in the output table.

...base search...

| stats avg(eval(time_taken)) AS avg_tt,  avg(eval(sc_bytes)) AS avg_bytes,
 count(eval(source)) AS NumTransactions, BY cs_uri_stem 

| table cs_uri_stem, avg_tt, avg_bytes, NumTransactions 

| rename avg_bytes AS "Average Bytes Returned" avg_tt AS "Average Time in Milliseconds" NumTransactions AS "# of Transactions"

Can this be accomplished in the Dashboard's XML?
Can this also be accomplished with an eval statement in the search itself?

niketn · ‎08-30-2020

@CarbonCriterium hope you are looking for the following SPL. If not please add some sample data and a screenshot of what it looks like right now and how it should appear.

| stats count(eval(status!=200)) as Error  avg(eval(time_taken)) AS avg_tt,  avg(eval(sc_bytes)) AS avg_bytes, count(eval(source)) AS NumTransactions, BY cs_uri_stem 
| eval status=if(Error=0,"200","!=200")
| fields cs_uri_stem, status, avg_tt, avg_bytes, NumTransactions 
| rename avg_bytes AS "Average Bytes Returned" avg_tt AS "Average Time in Milliseconds" NumTransactions AS "# of Transactions"

Following is a run anywhere example based on Splunk's _internal access index with data similar to yours.

Screen Shot 2020-08-31 at 2.00.17 AM.png

<dashboard theme="dark">
  <label>Bubble Chart with Bubbles Based on Status</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index = _internal sourcetype=splunkd_access 
| eval status=if(random()%2==0,200,400)
| stats count(eval(status!=200)) as Error count sum(bytes) as "Total Bytes" by uri_path, date_hour
| eval status=if(Error=0,"200","!=200")
| fields uri_path status date_hour count "Total Bytes"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"200":"#53A051","!=200":"#DC4E41"}</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-30-2020

@CarbonCriterium hope you are looking for the following SPL. If not please add some sample data and a screenshot of what it looks like right now and how it should appear.

| stats count(eval(status!=200)) as Error  avg(eval(time_taken)) AS avg_tt,  avg(eval(sc_bytes)) AS avg_bytes, count(eval(source)) AS NumTransactions, BY cs_uri_stem 
| eval status=if(Error=0,"200","!=200")
| fields cs_uri_stem, status, avg_tt, avg_bytes, NumTransactions 
| rename avg_bytes AS "Average Bytes Returned" avg_tt AS "Average Time in Milliseconds" NumTransactions AS "# of Transactions"

Following is a run anywhere example based on Splunk's _internal access index with data similar to yours.

Screen Shot 2020-08-31 at 2.00.17 AM.png

<dashboard theme="dark">
  <label>Bubble Chart with Bubbles Based on Status</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index = _internal sourcetype=splunkd_access 
| eval status=if(random()%2==0,200,400)
| stats count(eval(status!=200)) as Error count sum(bytes) as "Total Bytes" by uri_path, date_hour
| eval status=if(Error=0,"200","!=200")
| fields uri_path status date_hour count "Total Bytes"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"200":"#53A051","!=200":"#DC4E41"}</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

CarbonCriterium · ‎09-01-2020

This is great, but how are you the poster with the correct answer to every one of my questions!? 😂

Changing the color of a bubble plot based on a field value

CSS

panel

simple XML

table

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?