Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Emphasizing a result within a Column Chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Name on the X axis and Risk_Score on the Y axis. I'd like to be able to highlight where the System_Name in question shows up on the chart as annotation examples have demonstrated in the documentation. My current code for the chart is as follows. Does anyone have any suggestions as to what I'm doing wrong here?
Chart itself:
{
"type": "splunk.column",
"options": {
"seriesColorsByField": {},
"annotationColor": "> annotation | seriesByIndex('2')",
"annotationLabel": "> annotation | seriesByIndex('1')",
"annotationX": "> annotation | seriesByIndex('0')",
"legendDisplay": "off"
},
"dataSources": {
"primary": "ds_abUJLKDj",
"annotation": "ds_YPQ3EYqR"
},
"showProgressBar": false,
"showLastUpdated": false,
"context": {}
}Searches:
"ds_abUJLKDj": {
"type": "ds.search",
"options": {
"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2)\n| sort Risk_Score"
},
"name": "risk_score_chart"
},
"ds_YPQ3EYqR": {
"type": "ds.search",
"options": {
"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2), color=\"#f44336\", Annotation_Label= (\"The risk score for $system_name$ is \" + Risk_Score) \n| sort Risk_Score\n| where System_Name = \"$system_name$\"\n| table System_Name, Annotation_Label, color"
},
"name": "risk_score_chart_annotation"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:
`index`
| eval risk=round(Risk_Score,0)
| stats dc(System_Name) AS count by risk
| sort + risk
| join type=left
[ search `index`
| search System_Name="$system_name$"
| eval risk=round(Risk_Score,0)
| stats sum(risk) as highlight]
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:
`index`
| eval risk=round(Risk_Score,0)
| stats dc(System_Name) AS count by risk
| sort + risk
| join type=left
[ search `index`
| search System_Name="$system_name$"
| eval risk=round(Risk_Score,0)
| stats sum(risk) as highlight]
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)
Index This | When is October more than just the tenth month?
Observe and Secure All Apps with Splunk
What’s New & Next in Splunk SOAR
