Re: How to color chart bar and highlight the thres...

gballanti · ‎11-19-2019

Hello,

I have tried to resolve using all previous posts without lucy. Probably my search/query even if it works is malformed or some chart options are invalid. Using Splunk 8.0.0 here.
I have two questions about the chart settings.

How to color a column of the chart if the threshold is hit (red when it is > of 6, otherwise is green)?
How to mark the threshold limit on Y-Axis, for example, a bold line?

Below the piece of xml code for the chart:

    <title>Tempi medi di risposta chiamate HD</title>
    <search>
      <query>index=rl_ivr avg_speed_answer=* | eval nn=tonumber(replace(replace(avg_speed_answer,"\.",""),",",".")) | eval media_giorno = call_offered * nn | timechart span=3mon sum(call_offered) as total_call sum(media_giorno) as total_avg_speed_answer | eval row_average=(total_call * total_avg_speed_answer) | eval sla10 = total_avg_speed_answer / total_call | eval sla10=round(sla10,2)  | rangemap field=sla10 red=6-100 default=green | fields _time,sla10</query>
      <earliest>0</earliest>
      <latest></latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisLabelsY.majorUnit">0.5</option>
    <option name="charting.axisTitleX.visibility">collapsed</option>
    <option name="charting.axisTitleY.visibility">collapsed</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.abbreviation">none</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.abbreviation">auto</option>
    <option name="charting.axisY.maximumNumber">20</option>
    <option name="charting.axisY.minimumNumber">0</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.abbreviation">auto</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.maximumNumber">25</option>
    <option name="charting.axisY2.minimumNumber">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.rangeValues">[0,30,70,100]</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">stacked</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>
    <option name="charting.fieldColors">{"red":0xFF0000,"green":0xdc4e41}</option>
    <option name="charting.gaugeColors">["0x53a051","0xf8be34","0xdc4e41"]</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">1</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.mode">standard</option>
    <option name="charting.legend.placement">none</option>
    <option name="charting.lineWidth">2</option>
    <option name="charting.seriesColors">["0x53a051","0xf8be34","0xdc4e41"]</option>
    <option name="refresh.display">progressbar</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <option name="trellis.splitBy">_aggregation</option>
  </chart>

gballanti · ‎11-21-2019

thanks Eric,
setting as you suggest seems to be valid for splunk but didn't get the outcome, not sure if do additional settings

Kind Regards

gballanti · ‎11-21-2019

thank you Eric,

probably it's my fault (i'm new on splunk) but I'm unable to set the first(..) statement. Maybe baecause its is not used to calculate the average but just has a sum.
May you suggest me how to set ?

kind regards

efavreau · ‎11-21-2019

Something like this (sorry for the multiple edits - there's no preview of comments in Splunk Answers):

index=rl_ivr avg_speed_answer=* 
| eval nn=tonumber(replace(replace(avg_speed_answer,"\.",""),",",".")) 
| eval media_giorno = call_offered * nn 
| eval mythreshold="4"
| timechart span=3mon first(mythreshold) sum(call_offered) as total_call sum(media_giorno) as total_avg_speed_answer 
| eval row_average=(total_call * total_avg_speed_answer) 
| eval sla10 = total_avg_speed_answer / total_call 
| eval sla10=round(sla10,2) 
| rangemap field=sla10 red=6-100 default=green 
| fields _time,sla10

###

If this reply helps you, an upvote would be appreciated.

efavreau · ‎11-21-2019

Last line in your search is limiting your fields, which, silly me, I didn't include. Your last line might be:
| fields _time,sla10,mythreshold

###

If this reply helps you, an upvote would be appreciated.

gballanti · ‎11-21-2019

hello Erik,
thanks again for the support ... unfortunately I get the same behaviour. I will try with a simple test chart using static values probably the statement used in my search has to be set in different order.

efavreau · ‎11-20-2019

@gballanti I don't know if that's possible for #1. I would go with a separate panel with a status indicator.
For #2, set your threshold in an eval,
| eval mythreshold="4"
This will appear as a line if you add this to your timechart
first(mythreshold)
It's not a bold line yet, but you could color it red or black, if you wanted.

###

If this reply helps you, an upvote would be appreciated.

How to color chart bar and highlight the threshold

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms