Hi All,
I’m trying to create a stacked Vertical bar chart in Splunk, where each bar represents a unique field (e.g., SWC), and the bar is segmented into multiple colors based on a specific status field (e.g., RAG_Status with values Green, Amber, and Red).
Here’s what I’m trying to achieve:
• Each horizontal bar corresponds to a unique SWC.
• The bar is segmented based on the RAG_Status (e.g., Green, Amber, Red).
• The length of each segment represents the count of records for that combination.
• I want the segments to be stacked within the bar, with distinct colors for Green, Amber, and Red.
Sample Query:
| inputlookup example_data.csv
| eval RAG_Status = case(
KPI_Score >= KPI_Threshold, "Green",
KPI_Score >= (KPI_Threshold - 5), "Amber",
KPI_Score < (KPI_Threshold - 5), "Red"
)
| chart count BY SWC RAG_Status
| sort SWC
Visualization Requirements:
1. Chart Type: Vertical Bar Chart.
2. Stacked Mode: Each bar should show Green, Amber, and Red segments stacked horizontally.
3. Color Scheme:
• Green: #28a745
• Amber: #ffc107
• Red: #dc3545.
Screenshot for Reference:
The above is an example of horizontal but I am looking for vertical.
Current Issue:
I’m unable to configure the Splunk visualization settings or XML code to properly display this data as a Vertical stacked bar chart. Either the entire bar shows as one solid color, or the segments are not stacking as expected.
Any guidance or sample XML code to achieve this would be greatly appreciated!
Current XML code:-
<dashboard version="1.1" theme="light">
<label>SWC KPI Performance and RAG Distribution_new</label>
<row>
<panel>
<title>RAG Status Distribution by SWC</title>
<chart>
<search>
<query>| inputlookup example_data.csv
| eval RAG_Status = case(
KPI_Score >= KPI_Threshold, "Green",
KPI_Score >= (KPI_Threshold - 5), "Amber",
KPI_Score < (KPI_Threshold - 5), "Red"
)
| chart count BY SWC RAG_Status
| sort SWC</query>
<earliest>@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.seriesColors">#28a745,#ffc107,#dc3545</option>
<option name="charting.legend.placement">right</option>
<option name="charting.axisTitleX.text">SWC</option>
<option name="charting.axisTitleY.text">count</option>
</chart>
</panel>
</row>
</dashboard>
Current situation:-
Thanks in advance!
The fact that you have Rag_Status and count in your legend would indicate you have done a stats count, not a chart count.
See the difference of the tabled output between using this
| makeresults count=200
| eval KPI_Score=random() % 100, KPI_Threshold=80, SWC="SWC:".(random() % 5)
| eval RAG_Status = case(
KPI_Score >= KPI_Threshold, "Green",
KPI_Score >= (KPI_Threshold - 5), "Amber",
KPI_Score < (KPI_Threshold - 5), "Red"
)
| chart count BY SWC RAG_Status
| sort SWCand then using stats rather than chart in the second line.
In the chart case, you should end up with columns SWC and then Amber, Green and Red, but if you use stats, you will get SWS, RAG_Status and count. In the first case you can stack the data perfectly OK
The fact that you have Rag_Status and count in your legend would indicate you have done a stats count, not a chart count.
See the difference of the tabled output between using this
| makeresults count=200
| eval KPI_Score=random() % 100, KPI_Threshold=80, SWC="SWC:".(random() % 5)
| eval RAG_Status = case(
KPI_Score >= KPI_Threshold, "Green",
KPI_Score >= (KPI_Threshold - 5), "Amber",
KPI_Score < (KPI_Threshold - 5), "Red"
)
| chart count BY SWC RAG_Status
| sort SWCand then using stats rather than chart in the second line.
In the chart case, you should end up with columns SWC and then Amber, Green and Red, but if you use stats, you will get SWS, RAG_Status and count. In the first case you can stack the data perfectly OK
Thanks for the response @PickleRick , I have copied the charting options to my html and still see single line as below. Although when I copied the fill code as a new panel it is working as expected. Do I need to change anything to make the charting options work for my search ?
