Solved: Re: Emphasizing a result within a Column Chart

kprior201 · ‎05-21-2024

Hello!

I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Name on the X axis and Risk_Score on the Y axis. I'd like to be able to highlight where the System_Name in question shows up on the chart as annotation examples have demonstrated in the documentation. My current code for the chart is as follows. Does anyone have any suggestions as to what I'm doing wrong here?

Chart itself:

{
    "type": "splunk.column",
    "options": {
        "seriesColorsByField": {},
        "annotationColor": "> annotation | seriesByIndex('2')",
        "annotationLabel": "> annotation | seriesByIndex('1')",
        "annotationX": "> annotation | seriesByIndex('0')",
        "legendDisplay": "off"
    },
    "dataSources": {
        "primary": "ds_abUJLKDj",
        "annotation": "ds_YPQ3EYqR"
    },
    "showProgressBar": false,
    "showLastUpdated": false,
    "context": {}
}

Searches:

		"ds_abUJLKDj": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2)\n| sort Risk_Score"
			},
			"name": "risk_score_chart"
		},
		"ds_YPQ3EYqR": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2), color=\"#f44336\", Annotation_Label= (\"The risk score for $system_name$ is \" + Risk_Score) \n| sort Risk_Score\n| where System_Name = \"$system_name$\"\n| table System_Name, Annotation_Label, color"
			},
			"name": "risk_score_chart_annotation"

kprior201 · ‎05-28-2024

Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:

`index` 
| eval risk=round(Risk_Score,0) 
| stats dc(System_Name) AS count by risk 
| sort + risk 
| join type=left    
 [ search `index` 
   | search System_Name="$system_name$"     
   | eval risk=round(Risk_Score,0)    
   | stats sum(risk) as highlight] 
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)

View solution in original post

kprior201 · ‎05-28-2024

Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:

`index` 
| eval risk=round(Risk_Score,0) 
| stats dc(System_Name) AS count by risk 
| sort + risk 
| join type=left    
 [ search `index` 
   | search System_Name="$system_name$"     
   | eval risk=round(Risk_Score,0)    
   | stats sum(risk) as highlight] 
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)

Emphasizing a result within a Column Chart

chart

Dashboard Studio

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?