Yes, I've seen the effect my answer has on the mouseover tooltip for each segment. However, given that you're already specifying showPercent, I think it looks okay.

Just a thought: if the byte figures are big, you might want to show them in different units (here, megabytes):

eval Space = 'Space'." ".tostring(round('Bytes'/pow(2,20),1))." MB"

So I made a couple of changes, and it works great! (one small problem though):

 | makeresults | eval hardDriveUsed=hardDriveUsedField, hardDriveFree=hardDriveFreeField| chart latest(hardDriveUsed) as "Used" latest(hardDriveFree) as "Free" | transpose column_name=Space | rename "row 1" as "Bytes" | eval Space = tostring(round('Bytes'/pow(2,20),1)). GB"." ".'Space'

Now my charting.fieldColors XML code doesn't work because I put the field values before the "Used" and "Available"

< option name="charting.fieldColors">{"Available":0x77aaff,"Used":0xff0000}< /option >

Any ideas on how to fix this? Thanks again!

Given time, and if the following solution doesn't work reliably, then I might (possibly; I'm not certain) be able to define tokens that contain the adjusted field names, and refer to those tokens in the <option>. Or I might just be dreaming; it's late here (I'm in Perth, Australia, UTC+8).

Try replacing the fieldColors option with this:

    <option name="charting.seriesColors">[0xff0000, 0x77aaff]</option>

You might need to change the order of those colors, depending on the order of the fields in your search.

I'm not certain that seriesColors, even when given the same number of colors as corresponding fields in the search, always assigns colors in the same order. It might; I just don't know for sure. It would be helpful if the Splunk docs were clearer on this specific point.

The changing of fieldColors to seriesColors as above worked perfectly. Thanks so much for your help Graham!

You're welcome! I'm glad I could help.

Some final points:

• With apologies if you know this: you don't need to use the makeresults | eval hard... commands that I used in my example search. I used those commands to dynamically generate data because I don't have your log. You don't need to use makeresults with eval to generate data; you have the data in your log.
• I notice you changed the MB string in my example to GB. To calculate gigabytes from bytes, you need to divide the number of bytes by 2 to the power of 30: you need to change the pow(2,20) function call to pow(2,30). (Guilty admission: in my original comment, which I edited shortly afterwards, I incorrectly used pow(2,10) to convert bytes to megabytes. I did that because I was hastily copying'n'pasting from code that converted bytes to kilobytes. Sorry if that misled you.)

I didn't use makeresults, I didn't even think that was a command, I was just assuming that you used that as a catch-all for my preceding code.

Also I changed it to GB because it turns out that the code is outputting in kilobytes and not bytes hence the fact that the pow function wasn't changed.

Thanks again for all your help!