Dashboards & Visualizations

How to create different color pie charts with the same field?

dhirendra761
Contributor

Hi All,

Below is my requirement. I need to create pie chart with different colors as per attached SS.
I searched a lot but not able to find the solution and Below code would not help for this scenario.

 <option name="charting.fieldColors">{"Error: 0xE4002B, "Success": 0x3b7d3e}</option>

alt text

Could you please suggest me on this.

Thanks in advance.

1 Solution

grittonc
Contributor

If you don't mind having "success" with an extra name on it, you can try this method:

| makeresults 
| eval status="success", server="A" 
| append 
    [| makeresults 
    | eval status="success", server="B"]
| append 
    [| makeresults 
    | eval status="failure", server="A"]
| append 
    [| makeresults 
    | eval status="failure", server="B"]
| eval final_status=if(status="success", status." ".server, status)
| stats count by server final_status

Basically you have to make a new field that considers each type of success as its own category, but the failures as the same category. You can still trellis by server. And in the XML you can customize the colors by adding
<option name="charting.fieldColors">{"success A":#00ff00 ,"success B":#0000ff,"failure":#ff0000}</option>
.

View solution in original post

woodcock
Esteemed Legend

I would use a trellis for this and live with everything being the same 2 colors. Why in the world would you ever desire success (or any value) to be multiple colors? That seems crazy to me.

0 Karma

dhirendra761
Contributor

ok understand .. I will follow the natural approach of splunk..and use the same colors for same result .. 🙂

Thanks @woodcock for the suggation.

0 Karma

grittonc
Contributor

If you don't mind having "success" with an extra name on it, you can try this method:

| makeresults 
| eval status="success", server="A" 
| append 
    [| makeresults 
    | eval status="success", server="B"]
| append 
    [| makeresults 
    | eval status="failure", server="A"]
| append 
    [| makeresults 
    | eval status="failure", server="B"]
| eval final_status=if(status="success", status." ".server, status)
| stats count by server final_status

Basically you have to make a new field that considers each type of success as its own category, but the failures as the same category. You can still trellis by server. And in the XML you can customize the colors by adding
<option name="charting.fieldColors">{"success A":#00ff00 ,"success B":#0000ff,"failure":#ff0000}</option>
.

dhirendra761
Contributor

Thanks for your suggesation @grittonc ...yes we can by this but it will differ from our requirement.
Hi...@somesoni2 @woodcock @martin_mueller @niketnilay ...do you have any other suggestion please.

Thanks you.

0 Karma

woodcock
Esteemed Legend

Actually instead of success A and success B, just use different numbers of leading spaces and use success, success, success, success, success, success. The spaces will be invisible and you will have 100% of your request implemented! GO TEAM!

0 Karma

woodcock
Esteemed Legend

This is the best that I could do but I'll bet that @niketnilay can do better.

0 Karma

efavreau
Motivator

Is there something that differentiates each success? For instance, is A web server errors and successes and B is app server errors and successes, that kind of thing? Your picture looks like a trellis visualization. Does it have to be trellis, or could you have 6 different panels?

###

If this reply helps you, an upvote would be appreciated.
0 Karma

dhirendra761
Contributor

Hi @efavreau yes you are right I am using trails visualization <option name="trellis.enabled">1</option>
my SPL is base search | stats count(status) by server status

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...