Solved: Emphasizing a result within a Column Chart

kprior201 · ‎05-21-2024

Hello!

I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Name on the X axis and Risk_Score on the Y axis. I'd like to be able to highlight where the System_Name in question shows up on the chart as annotation examples have demonstrated in the documentation. My current code for the chart is as follows. Does anyone have any suggestions as to what I'm doing wrong here?

Chart itself:

{
    "type": "splunk.column",
    "options": {
        "seriesColorsByField": {},
        "annotationColor": "> annotation | seriesByIndex('2')",
        "annotationLabel": "> annotation | seriesByIndex('1')",
        "annotationX": "> annotation | seriesByIndex('0')",
        "legendDisplay": "off"
    },
    "dataSources": {
        "primary": "ds_abUJLKDj",
        "annotation": "ds_YPQ3EYqR"
    },
    "showProgressBar": false,
    "showLastUpdated": false,
    "context": {}
}

Searches:

		"ds_abUJLKDj": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2)\n| sort Risk_Score"
			},
			"name": "risk_score_chart"
		},
		"ds_YPQ3EYqR": {
			"type": "ds.search",
			"options": {
				"query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2), color=\"#f44336\", Annotation_Label= (\"The risk score for $system_name$ is \" + Risk_Score) \n| sort Risk_Score\n| where System_Name = \"$system_name$\"\n| table System_Name, Annotation_Label, color"
			},
			"name": "risk_score_chart_annotation"

kprior201 · ‎05-28-2024

Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:

`index` 
| eval risk=round(Risk_Score,0) 
| stats dc(System_Name) AS count by risk 
| sort + risk 
| join type=left    
 [ search `index` 
   | search System_Name="$system_name$"     
   | eval risk=round(Risk_Score,0)    
   | stats sum(risk) as highlight] 
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)

View solution in original post

kprior201 · ‎05-28-2024

Never did get this to work right, but a colleague came up with a different way of doing it which worked. Rather than using annotations, he factored it into the single search:

`index` 
| eval risk=round(Risk_Score,0) 
| stats dc(System_Name) AS count by risk 
| sort + risk 
| join type=left    
 [ search `index` 
   | search System_Name="$system_name$"     
   | eval risk=round(Risk_Score,0)    
   | stats sum(risk) as highlight] 
| eval highlight=if(highlight=risk,highlight,0)
| eval highlight=if(highlight=risk,count,0)
| eval count=if(highlight=count,0,count)

Emphasizing a result within a Column Chart

chart

Dashboard Studio

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation