Dashboards & Visualizations

Emphasizing a result within a Column Chart

kprior201
Path Finder

Hello!

I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Name on the X axis and Risk_Score on the Y axis. I'd like to be able to highlight where the System_Name in question shows up on the chart as annotation examples have demonstrated in the documentation. My current code for the chart is as follows. Does anyone have any suggestions as to what I'm doing wrong here?

Chart itself:

{
    "type": "splunk.column",
    "options": {
        "seriesColorsByField": {},
        "annotationColor": "> annotation | seriesByIndex('2')",
        "annotationLabel": "> annotation | seriesByIndex('1')",
        "annotationX": "> annotation | seriesByIndex('0')",
        "legendDisplay": "off"
    },
    "dataSources": {
        "primary": "ds_abUJLKDj",
        "annotation": "ds_YPQ3EYqR"
    },
    "showProgressBar": false,
    "showLastUpdated": false,
    "context": {}
}

 Searches:

		"ds_abUJLKDj": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2)\n| sort Risk_Score"
			},
			"name": "risk_score_chart"
		},
		"ds_YPQ3EYqR": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2), color=\"#f44336\", Annotation_Label= (\"The risk score for $system_name$ is \" + Risk_Score) \n| sort Risk_Score\n| where System_Name = \"$system_name$\"\n| table System_Name, Annotation_Label, color"
			},
			"name": "risk_score_chart_annotation"
Labels (2)
0 Karma
1 Solution

kprior201
Path Finder

Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:

 

`index` 
| eval risk=round(Risk_Score,0) 
| stats dc(System_Name) AS count by risk 
| sort + risk 
| join type=left    
 [ search `index` 
   | search System_Name="$system_name$"     
   | eval risk=round(Risk_Score,0)    
   | stats sum(risk) as highlight] 
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)

View solution in original post

0 Karma

kprior201
Path Finder

Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:

 

`index` 
| eval risk=round(Risk_Score,0) 
| stats dc(System_Name) AS count by risk 
| sort + risk 
| join type=left    
 [ search `index` 
   | search System_Name="$system_name$"     
   | eval risk=round(Risk_Score,0)    
   | stats sum(risk) as highlight] 
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...