Dashboards & Visualizations

Chart Color Assignment

Ant1D
Motivator

Hi,

I would like to be able to determine what color a chart cell will be based on how the field/legend name for that chart cell ends. E.g. I have a field called "Name" that has values NameA, NameB, NameC etc. Each "Name" field value will be shown on the chart results as "NameA_pass", "NameA_fail", NameB_pass", "NameB_fail" and so on... (because of an eval if search command that concatenates the _pass and the _fail strings to the field called "Name")

So from this I would like all chart cells ending in "_pass" to be colored green and all chart cells ending in "_fail" to be red. Is this possible in Splunk?

I have been looking at <param name="charting.seriesColors"> and <param name="charting.fieldColors"> but what I want to achieve does not see to be possible with these parameters.

This would be a real winner if possible.

sideview
SplunkTrust
SplunkTrust

I think it's possible with a little PostProcess and the Sideview Utils module 'ResultsValueSetter'. It's pretty tricky though.

I'll sketch out the idea and you can determine if it's something you want to explore. 😃

Assumption: You have some chart, maybe a timechart or maybe a categorical chart, which has columns like 'nameA_pass', 'nameA_fail' etc.. (maybe i'm wrong and these are actually rows - correct me if I'm wrong).

downstream from the dispatched search, but upstream from the HiddenChartFormatter, you can use the following search in a PostProcess (or HiddenPostProcess) module to completely hijack these search results:

| fields *_pass *_fail | fields - _* | transpose | fields column | eval color=if(searchmatch("column=\"*_fail\""),"0xff0000","0x00ff00") | stats list(color) as colors | eval joinedColors=mvjoin(colors,",") | eval charting.seriesColors="[" + joinedColors + "]" | fields charting.seriesColors

Now, before we talk about what the heck that search is doing, right downstream from that we'll immediately cover our tracks so the FlashChart's data doesn't even know our PostProcess was there.

To do this, right inside that PostProcess module put a second PostProcess module. Then put your HiddenChartFormatter and all the remaining downstream modules nested inside the second one.

<module name="PostProcess">
   <param name="search"> </param>

It looks crazy and that's because it is. We've applied a weird postprocess search and then immediately taken it away.

However, in between these two PostProcess modules, ie below the first and above the second, we now have a weird playground. And that big postProcess search we have in there is chewing on your search results and it turns them into a field with the strangely familiar name of 'charting.seriesColors' that happens to have a value like: [0x00ff00,0xff0000,0xff0000], where the order of those colors will match the column order of the passes and fails. (I havent doubel checked this so i might have made a mistake and you might need a reverse in there)

Then you can put the Sideview Utils module ResultsValueSetter module right below that first crazy PostProcess module, and it will pull this value down from the land of search-results and into the land of user-interface-keys:

<module name="ResultsValueSetter">
   <param name="fields">charting.seriesColors</param>

The only remaining thing to do is remove any charting.seriesColors key you might be setting from HiddenChartFormatter. The ResultsValueSetter module will now be pumping out the seriesColor key and the FlashChart will pick it up and have no idea of all the trouble we went through. 😃

Ant1D
Motivator

Ah I didn't know that I lose points...Feel free to reward them back haha

0 Karma

sideview
SplunkTrust
SplunkTrust

(Hey - thanks for the reputation points award. FYI it's much easier to just vote up my answer, and that doesn't cost you any reputation points.)

Ant1D
Motivator

When I get a chance, I will have a look at this in more detail

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...