Dashboards & Visualizations

Emphasizing a result within a Column Chart

Path Finder


I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Name on the X axis and Risk_Score on the Y axis. I'd like to be able to highlight where the System_Name in question shows up on the chart as annotation examples have demonstrated in the documentation. My current code for the chart is as follows. Does anyone have any suggestions as to what I'm doing wrong here?

Chart itself:

    "type": "splunk.column",
    "options": {
        "seriesColorsByField": {},
        "annotationColor": "> annotation | seriesByIndex('2')",
        "annotationLabel": "> annotation | seriesByIndex('1')",
        "annotationX": "> annotation | seriesByIndex('0')",
        "legendDisplay": "off"
    "dataSources": {
        "primary": "ds_abUJLKDj",
        "annotation": "ds_YPQ3EYqR"
    "showProgressBar": false,
    "showLastUpdated": false,
    "context": {}


		"ds_abUJLKDj": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2)\n| sort Risk_Score"
			"name": "risk_score_chart"
		"ds_YPQ3EYqR": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2), color=\"#f44336\", Annotation_Label= (\"The risk score for $system_name$ is \" + Risk_Score) \n| sort Risk_Score\n| where System_Name = \"$system_name$\"\n| table System_Name, Annotation_Label, color"
			"name": "risk_score_chart_annotation"
Labels (2)
0 Karma

Path Finder

Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:


| eval risk=round(Risk_Score,0) 
| stats dc(System_Name) AS count by risk 
| sort + risk 
| join type=left    
 [ search `index` 
   | search System_Name="$system_name$"     
   | eval risk=round(Risk_Score,0)    
   | stats sum(risk) as highlight] 
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...