Need to change the color of bar when one field is ...

SathyaNarayanan · ‎07-03-2018

Hi ,

I have 2 fields Purchased and allocated , i need to change the color of bar chart(allocated ) when the allocated is greater than Purchased .

Below is my query in bar chart.

index=snowprod sourcetype="snow:license_details" | stats sum(count) As Purchased sum(allocated) by name

Thanks in advance

SathyaNarayanan · ‎07-04-2018

Thank u, its working for me

niketn · ‎07-04-2018

@SathyaNarayanan you can show the

index=snowprod sourcetype="snow:license_details" 
| stats sum(count) As Purchased sum(allocated) as Allocated by name
| eval Difference=Purchased-Allocated 
| eval Breached=case(Difference<0,Allocated), Met= case(Difference>=0,Allocated) 
| fields - Purchased Allocated Difference

The final chart displays Allocated License as Met Or Breached. You can color by field names using charting.fieldColors Simple XML chart configuration as Green and Red respectively:

<option name="charting.fieldColors">{"Met":0x65a637,"Breached":0xd93f3c}</option>

Please try out and confirm. If you need a different output please add more details for required output.

PS: If you are on Splunk Enterprise 7.0 or higher and you want to plot the breached information over a timechart you can also consider Event Annotation

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SathyaNarayanan · ‎07-04-2018

As i want to show the purchased count and allocated count for name, it needs to be shows.

we also want to know which name allocation has crossed the purchased.

index=snowprod sourcetype="snow:license_details" | stats sum(count) As Purchased sum(allocated) by name

niketn · ‎07-04-2018

@SathyaNarayanan,

As i want to show the purchased count and allocated count for name : Yes this is possible with above approach.

we also want to know which name allocation has crossed the purchased.: Can you color based on Allocation Crossed Purchased alone? Then it would be simple and possible directly through Splunk UI if you are on version 6.5 or higher.

index=snowprod sourcetype="snow:license_details" 
| stats sum(count) As Purchased sum(allocated) by name
| eval Status=if(Allocated>Purchased,"Breached","Met")

Then you can color Status Column using UI Edit option. You can also apply Splunk JS and CSS based color to row using Status field. Refer to this older post from me: https://answers.splunk.com/answers/588394/change-the-color-of-rows-in-a-table-based-on-text-1.html

You can download Splunk Dashboard Examples App to get several such examples and understand the code.

Also have you by any chance tried the other answer for coloring Chart based on Breached Or Met for your other question: https://answers.splunk.com/answers/669772/need-to-change-the-color-of-bar-when-one-field-is.html?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SathyaNarayanan · ‎07-04-2018

Thank you @niketnilay, its working fine for me

niketn · ‎07-05-2018

@SathyaNarayanan, do accept/upvote the answer if your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SathyaNarayanan · ‎07-04-2018

Still working on the other questions

Need to change the color of bar when one field is greater than other field in bar chart

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio