Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Chart color change on basis of an alert for brief period of time

brabagaza
Explorer
‎01-26-2021 09:43 AM

Hi all,
At the moment I am trying to color a chart depending on the recency of an alert.
This works great for coloring in certain timeperiods during which an alert was triggered, however, I am trying to color the entire chart for a brief moment of 5 minutes. This way the chart stands out and grabs attention, is there any way to easily color the entire chart, or the background of the chart, for a brief moment?

ATM I have a query that copies the count field into a second field and provides different colors in the XML options in the source, like so:
#query:
| makeresults count=20
| eval alert=(random()%2)
| streamstats count
| eval _time=_time-(count*60)

| eval recent_time=relative_time(now(),"-5M@M")
| eval latest_alert_time=if(alert>0,_time,None)
| eval chart_color = case(latest_alert_time>recent_time,count)
| fields _time count alert chart_color


#XML:
<option name="charting.fieldColors">{"count":#228B22, "chart_color":#bf1f1f}</option>

 

This above solution only results in colored sections during the alert time, but not a completely colored chart.

current result and desired results:

current vs desired resultcurrent vs desired result
(this example image is made by simply saying chart_color=count, so it is not dynamically responding to recent alerts)

A change in background color would also be fine, any suggestions are welcome

Roelof


--------------------------------------------------
#full XML of example dashboard:

<dashboard>
<label>splunk_forum_background_color</label>
<row>
<panel>
<title>current result</title>
<chart>
<search>
<query>| makeresults count=20
| eval alert=(random()%2)
| streamstats count
| eval _time=_time-(count*60)

| eval recent_time=relative_time(now(),"-5M@M")
| eval latest_alert_time=if(alert&gt;0,_time,None)
| eval chart_color = case(latest_alert_time&gt;recent_time,count)

| fields _time count chart_color</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">area</option>
<option name="charting.fieldColors">{"count":#228B22, "chart_color":#bf1f1f}</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>desired result</title>
<chart>
<search>
<query>| makeresults count=20
| eval alert=(random()%2)
| streamstats count
| eval _time=_time-(count*60)

| eval recent_time=relative_time(now(),"-5M@M")
| eval latest_alert_time=if(alert&gt;0,_time,None)
| eval chart_color = count

| fields _time count chart_color</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">area</option>
<option name="charting.fieldColors">{"count":#228B22, "chart_color":#bf1f1f}</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</dashboard>

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...