Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Modify Map Colors In Dashboard Studio

chenfan
Explorer
3 weeks ago

Hello Splunkers,

I've been having issues with Dashboard Studio lately that have been bothering me. I'd really appreciate any advice. I want to assign different colors to data based on different field values—green for "normal", yellow for "warning", and red for "critical". I've tried the following configurations, but none of them have worked.



{ "type": "splunk.map", "options": { "center": [ 34.266, 108.945 ], "zoom": 2.3155822324586683, "layers": [ { "seriesColors": [ "#00FF00", "#FFFF00", "#FF0000", "bubbleSize": "> primary | frameBySeriesNames('normal','warning','critical')" } ] }, "dataSources": { "primary": "ds_PHhx1Fxi" }, "context": {}, "showProgressBar": false, "showLastUpdated": false }

chenfan_0-1767073833477.png

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @chenfan 

Since when you're missing a field it throws out the colouring, just make sure you always have the fields in the order you expect - the easiest way to do this is to add a table command to then end of your search:

| table normal warning critical *

livehybrid_0-1767220731894.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

tscroggins
Champion
3 weeks ago

Hi @chenfan,

You've used the correct syntax for bubbleSize and seriesColor to select a data frame by series names and match the index of each series name to its corresponding color. Assuming "normal" is the dominant status, the screenshot looks correct.

Which part isn't working?

As an aside, Splunk's legacy default RGB values for red, yellow/amber, and green are #cba700, #d41f1f, and #118832, respectively.

0 Karma
Reply

chenfan
Explorer
3 weeks ago
Hi @tscroggins Thankyou for your reply! When my data only includes "normal" and "critical" statuses, the color assigned to "critical" is yellow——and that’s not what I want.
0 Karma
Reply

tscroggins
Champion
3 weeks ago

Hi @chenfan,

I can't reproduce the issue using your layers configuration in Splunk Enterprise 10.0. Which version of Splunk are you using? Can you post a redacted version of your search?

You could try appending an eval after geostats to insert zero values when a field is missing, null, or empty:

| geostats count by status ``` latfield=lat longfield=lon ```
| eval normal=coalesce(tonumber(trim(normal)), 0), warning=coalesce(tonumber(trim(warning)), 0), critical=coalesce(tonumber(trim(critical)), 0)

 You can vary the eval command to fit whatever validation logic you prefer, e.g.:

| eval normal=if(isnull(nullif(normal, "")) OR NOT isint(normal), 0, normal), warning=if(isnull(nullif(warning, "")) OR NOT isint(warning), 0, warning), critical=if(isnull(nullif(critical, "")) OR NOT isint(critical), 0, critical)

 

0 Karma
Reply

chenfan
Explorer
3 weeks ago

HI @livehybrid

Can you give me some suggestion? Thankyou!

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...