Dashboards & Visualizations

How do you use custom colors on a dashboard chart based on values rather than fields?

New Member

I have a query which displays percentage of space used by couple of mounts for each of the hosts. I want my column chart bars to display colors based on values.

For example, all the column chart bars with values less than 30 should be in green, between 31-70 should be in yellow and greater than 70 should be in red.

I have gone through other related Splunk answers, but they are discussing on using custom chart colors based on Axis fields (Eg: charting.seriesColors / charting.fieldColors / eval conditions in SPL / etc). I'm expecting an answer which actually suggests displaying same color for all the bars with same values, irrespective of fields.

Here is my Query:
(host=wjb4stl260 OR host=wjb4stl261 OR host=wjb4stl262 OR host=wjb4stl263 OR host=wjb4stl365 OR host=wjb4stl366 OR host=wjb4stl367 OR host=wjb4stl368 OR host=CJB4STL365 OR host=CJB4STL366 OR host=WJB4STL62 OR host=WJB4STL67 OR host=WJB4STL68 OR host=WJB4STL69 OR host=WJB4STL72 OR host=WJB4STL73 OR host=CJB4STL60 OR host=CJB4STL61) (MountedOn="/tmp" OR MountedOn="/apps_01") | dedup host, MountedOn | chart max(UsePct) by host, MountedOn

Please advice.

Thank you!

Best,
Veera

0 Karma

Hi,

I wanted to do the same thing once and came up with the following solution:

(host=wjb4stl260 OR host=wjb4stl261 OR host=wjb4stl262 OR host=wjb4stl263 OR host=wjb4stl365 OR host=wjb4stl366 OR host=wjb4stl367 OR host=wjb4stl368 OR host=CJB4STL365 OR host=CJB4STL366 OR host=WJB4STL62 OR host=WJB4STL67 OR host=WJB4STL68 OR host=WJB4STL69 OR host=WJB4STL72 OR host=WJB4STL73 OR host=CJB4STL60 OR host=CJB4STL61) (MountedOn="/tmp" OR MountedOn="/apps_01") | dedup host, MountedOn | chart max(UsePct) as max_use_pct by host, MountedOn
| eval status=case( 
max_use_pct  <= 30, "green",
max_use_pct  > 30 AND max_use_pct  <= 70, "yellow",
max_use_pct  > 70, "red")
| chart values(max_use_pct ) by host, status

Then select stacked mode in the visualisation format.
You can then assign colours to the bars using the "green", "yellow" and "red" fields (that you can rename to anything more relevant if you want, like "low/medium/high disk usage for example") using charting.fieldColors for example.

0 Karma

New Member

Thanks for your prompt response. But, It actually adding additional category of fields, rather than implying colors to the exiting fields.

0 Karma

I thought it would be okay if you only worry about the visual aspect, you can even hide the legend if you find it confusing!

Eventually someone will post a solution using javascript later.

Good luck and happy Splunking!

0 Karma

New Member

Thank you, Damien!

I'll try to explore any other ways to help with my use case, meanwhile.

Happy Splunking!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!