Dashboards & Visualizations

How do you use custom colors on a dashboard chart based on values rather than fields?

itsmeveeram
New Member

I have a query which displays percentage of space used by couple of mounts for each of the hosts. I want my column chart bars to display colors based on values.

For example, all the column chart bars with values less than 30 should be in green, between 31-70 should be in yellow and greater than 70 should be in red.

I have gone through other related Splunk answers, but they are discussing on using custom chart colors based on Axis fields (Eg: charting.seriesColors / charting.fieldColors / eval conditions in SPL / etc). I'm expecting an answer which actually suggests displaying same color for all the bars with same values, irrespective of fields.

Here is my Query:
(host=wjb4stl260 OR host=wjb4stl261 OR host=wjb4stl262 OR host=wjb4stl263 OR host=wjb4stl365 OR host=wjb4stl366 OR host=wjb4stl367 OR host=wjb4stl368 OR host=CJB4STL365 OR host=CJB4STL366 OR host=WJB4STL62 OR host=WJB4STL67 OR host=WJB4STL68 OR host=WJB4STL69 OR host=WJB4STL72 OR host=WJB4STL73 OR host=CJB4STL60 OR host=CJB4STL61) (MountedOn="/tmp" OR MountedOn="/apps_01") | dedup host, MountedOn | chart max(UsePct) by host, MountedOn

Please advice.

Thank you!

Best,
Veera

0 Karma

damien_chillet
Builder

Hi,

I wanted to do the same thing once and came up with the following solution:

(host=wjb4stl260 OR host=wjb4stl261 OR host=wjb4stl262 OR host=wjb4stl263 OR host=wjb4stl365 OR host=wjb4stl366 OR host=wjb4stl367 OR host=wjb4stl368 OR host=CJB4STL365 OR host=CJB4STL366 OR host=WJB4STL62 OR host=WJB4STL67 OR host=WJB4STL68 OR host=WJB4STL69 OR host=WJB4STL72 OR host=WJB4STL73 OR host=CJB4STL60 OR host=CJB4STL61) (MountedOn="/tmp" OR MountedOn="/apps_01") | dedup host, MountedOn | chart max(UsePct) as max_use_pct by host, MountedOn
| eval status=case( 
max_use_pct  <= 30, "green",
max_use_pct  > 30 AND max_use_pct  <= 70, "yellow",
max_use_pct  > 70, "red")
| chart values(max_use_pct ) by host, status

Then select stacked mode in the visualisation format.
You can then assign colours to the bars using the "green", "yellow" and "red" fields (that you can rename to anything more relevant if you want, like "low/medium/high disk usage for example") using charting.fieldColors for example.

0 Karma

itsmeveeram
New Member

Thanks for your prompt response. But, It actually adding additional category of fields, rather than implying colors to the exiting fields.

0 Karma

damien_chillet
Builder

I thought it would be okay if you only worry about the visual aspect, you can even hide the legend if you find it confusing!

Eventually someone will post a solution using javascript later.

Good luck and happy Splunking!

0 Karma

itsmeveeram
New Member

Thank you, Damien!

I'll try to explore any other ways to help with my use case, meanwhile.

Happy Splunking!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...