Dashboards & Visualizations

Scatter plot color assignment

vectra_tme
Engager

I have a scatter plot that I am trying to assign colors to based on where the fall. As a example, I am plotting some points based on threat and certainty scores. I would like to be able to assign colors based on the following:

threat >50 certanty >50 = Red
threat >50 certainty<50 = Orange
threat<50 certainty>50 = Yellow

I have found some information on changing colors for line graphs, but have not found anything on scatter plots. I have tried using some of this logic without any luck.

Any help is greatly appreciated.

Tags (2)
0 Karma
1 Solution

niketn
Legend

1) Unless you have already created Rages as per your requirement try the following:

| eval range= case(threat >50 AND certainty>50, Red, threat >50 AND certainty<50,Orange, true(), Yellow)

2) Option (i) If you know the Series Names use can use chating.fieldColors

<option name="charting.fieldColors">{"Red":0xff0000,"Yellow":0xffff00,"Orange":0xFF4500}</option>

Option (ii) If you dont know the series names you can use charting.seriesColors

<option name="charting.seriesColors">[0xff0000,0xffff00,0xFF4500]</option>

https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pr...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

1) Unless you have already created Rages as per your requirement try the following:

| eval range= case(threat >50 AND certainty>50, Red, threat >50 AND certainty<50,Orange, true(), Yellow)

2) Option (i) If you know the Series Names use can use chating.fieldColors

<option name="charting.fieldColors">{"Red":0xff0000,"Yellow":0xffff00,"Orange":0xFF4500}</option>

Option (ii) If you dont know the series names you can use charting.seriesColors

<option name="charting.seriesColors">[0xff0000,0xffff00,0xFF4500]</option>

https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pr...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vectra_tme
Engager

You are correct, the range was not being generated. A simple fix of adding quotes, resolved the issue. Here is code that fixed my issue:

<query>index=* sourcetype=Vectra-CEF signature="hsc" *  | dedup src | search threat>0 AND certainty>0  | eval status= case(threat>=50 AND certainty>=50, "Critical", threat>=50 AND certainty<50, "High", threat<50 AND certainty>=50, "Medium", true(), "Low") | table status, certainty, threat</query>

<option name="charting.fieldColors">{"Critical":0xbe1e2d,"High":0xf05a28,"Medium":0xfaaf40,"Low":0x4e6875}</option>

Thanks for all of your help. Greatly appreciated.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@vectra_tme - Glad you were able to find the solution with niketnilay's help. Please don't forget to click "Accept" to resolve your question and upvote any comments that were especially helpful. Thanks!

0 Karma

vectra_tme
Engager

Based on what you provided, I have come up with the following but am still getting blue dots throughout the scatter plot

    <panel>
      <chart>
        <search>
          <query>index=* sourcetype=Vectra-CEF signature="hsc" $search$  | dedup src | search $hostseverity$  | table certainty,threat | eval range= case(threat &gt;=50 AND certainty &gt;=50, Red, threat &gt;=50 AND certainty &lt;50, Orange, threat &lt;50 AND certainty &gt;=50, Yellow, true(), Black)</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">scatter</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.maximumNumber">100</option>
        <option name="charting.axisX.minimumNumber">0</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.maximumNumber">100</option>
        <option name="charting.axisY.minimumNumber">0</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>
        <option name="charting.fieldColors">{"Red":0xff0000,"Orange":0xFF4500,"Yellow":0xffff00,"Black":0x000000}</option>
      </chart>
    </panel>
0 Karma

niketn
Legend

If you are currently seeing only one color(blue) this implies you have only one series. You need to provide that series name as it appears in the legend of scatter chart to charting.fieldColors configuration. Also it seems your scatter plot query is not generating three ranges at all otherwise you would have seen three colors. If following is the final query for your scatter plot, please make sure certainty is on x-axis, threat is on y-axis and range is plotted on the graph.

| table range, certainty, threat

Alternatively, as I had mentioned, instead of fieldColors you can use seriesColors.

<option name="charting.seriesColors">[0xff0000,0xffff00,0xFF4500]</option>

However, I feel you should check your query and make sure the scatter chart is being populated correctly before you think about changing colors. (Refer to Splunk documentation on Scatter Chart: https://docs.splunk.com/Documentation/Splunk/latest/Viz/ScatterChart)

I am converting my answer to a comment so that until your issue is resolved, this flags for others to answer as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...