Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Chart color change on basis of an alert for brief period of time

brabagaza
Explorer
‎01-26-2021 09:43 AM

Hi all,
At the moment I am trying to color a chart depending on the recency of an alert.
This works great for coloring in certain timeperiods during which an alert was triggered, however, I am trying to color the entire chart for a brief moment of 5 minutes. This way the chart stands out and grabs attention, is there any way to easily color the entire chart, or the background of the chart, for a brief moment?

ATM I have a query that copies the count field into a second field and provides different colors in the XML options in the source, like so:
#query:
| makeresults count=20
| eval alert=(random()%2)
| streamstats count
| eval _time=_time-(count*60)

| eval recent_time=relative_time(now(),"-5M@M")
| eval latest_alert_time=if(alert>0,_time,None)
| eval chart_color = case(latest_alert_time>recent_time,count)
| fields _time count alert chart_color


#XML:
<option name="charting.fieldColors">{"count":#228B22, "chart_color":#bf1f1f}</option>

 

This above solution only results in colored sections during the alert time, but not a completely colored chart.

current result and desired results:

current vs desired resultcurrent vs desired result
(this example image is made by simply saying chart_color=count, so it is not dynamically responding to recent alerts)

A change in background color would also be fine, any suggestions are welcome

Roelof


--------------------------------------------------
#full XML of example dashboard:

<dashboard>
<label>splunk_forum_background_color</label>
<row>
<panel>
<title>current result</title>
<chart>
<search>
<query>| makeresults count=20
| eval alert=(random()%2)
| streamstats count
| eval _time=_time-(count*60)

| eval recent_time=relative_time(now(),"-5M@M")
| eval latest_alert_time=if(alert&gt;0,_time,None)
| eval chart_color = case(latest_alert_time&gt;recent_time,count)

| fields _time count chart_color</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">area</option>
<option name="charting.fieldColors">{"count":#228B22, "chart_color":#bf1f1f}</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>desired result</title>
<chart>
<search>
<query>| makeresults count=20
| eval alert=(random()%2)
| streamstats count
| eval _time=_time-(count*60)

| eval recent_time=relative_time(now(),"-5M@M")
| eval latest_alert_time=if(alert&gt;0,_time,None)
| eval chart_color = count

| fields _time count chart_color</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">area</option>
<option name="charting.fieldColors">{"count":#228B22, "chart_color":#bf1f1f}</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
</dashboard>

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...