Solved: Different color on one bar-graph

przemyslawolsze · ‎07-05-2016

In my application i am trying display logs from logger.

So my source structure:

Application - application name

Interface - logger name

Level - log level

My search query :

index="log_index" sourcetype=log_source| eval logger = Application + ":" + Interface + " - " + Level | eval error= if(Level == "Error", 1, 0) | eval warn= if(Level == "Warn", 1, 0) | eval info= if(Level == "Info", 1, 0) | eval fatal= if(Level == "Fatal", 1, 0)| search fatal=1 OR error=1 OR warn=1 OR info=0| stats count(Level) by logger sort by count(Level) desc

I set my options as:

        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.text">title</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">500</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">minmax</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">1</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.fieldColors">{"error":0xFF0000,"warn":0xFFFF00, "info":0x73A550, "fatal": 0x000000}</option>
        <option name="charting.seriesColors">[0xFF0000,0xFFFF00,0x00FF00, 0x000000]</option>

My aim:
I would like to match bar color to level for each logger (application plus interface plus level). So bar with level fatal should be red, error black etc etc.

I hope someone of you will know how to configure that tool.

somesoni2 · ‎07-05-2016

Try this for your query

index="log_index" sourcetype=log_source Level="Error" OR Level="Warn" OR Level="Info" OR Level="Fatal" | eval logger = Application + ":" + Interface | chart count over logger by Level | addtotals  | sort -Total | fields - Total

View solution in original post

somesoni2 · ‎07-05-2016

Try this for your query

index="log_index" sourcetype=log_source Level="Error" OR Level="Warn" OR Level="Info" OR Level="Fatal" | eval logger = Application + ":" + Interface | chart count over logger by Level | addtotals  | sort -Total | fields - Total

przemyslawolsze · ‎07-06-2016

Unbelievable. Now this tool make sense 😄
Thank you.

Different color on one bar-graph

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Are you a member of the Splunk Community?

Different color on one bar-graph

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain