I have a scatter plot that I am trying to assign colors to based on where the fall. As a example, I am plotting some points based on threat and certainty scores. I would like to be able to assign colors based on the following:
threat >50 certanty >50 = Red
threat >50 certainty<50 = Orange
threat<50 certainty>50 = Yellow
I have found some information on changing colors for line graphs, but have not found anything on scatter plots. I have tried using some of this logic without any luck.
Any help is greatly appreciated.
1) Unless you have already created Rages as per your requirement try the following:
| eval range= case(threat >50 AND certainty>50, Red, threat >50 AND certainty<50,Orange, true(), Yellow)
2) Option (i) If you know the Series Names use can use chating.fieldColors
<option name="charting.fieldColors">{"Red":0xff0000,"Yellow":0xffff00,"Orange":0xFF4500}</option>
Option (ii) If you dont know the series names you can use charting.seriesColors
<option name="charting.seriesColors">[0xff0000,0xffff00,0xFF4500]</option>
1) Unless you have already created Rages as per your requirement try the following:
| eval range= case(threat >50 AND certainty>50, Red, threat >50 AND certainty<50,Orange, true(), Yellow)
2) Option (i) If you know the Series Names use can use chating.fieldColors
<option name="charting.fieldColors">{"Red":0xff0000,"Yellow":0xffff00,"Orange":0xFF4500}</option>
Option (ii) If you dont know the series names you can use charting.seriesColors
<option name="charting.seriesColors">[0xff0000,0xffff00,0xFF4500]</option>
You are correct, the range was not being generated. A simple fix of adding quotes, resolved the issue. Here is code that fixed my issue:
<query>index=* sourcetype=Vectra-CEF signature="hsc" * | dedup src | search threat>0 AND certainty>0 | eval status= case(threat>=50 AND certainty>=50, "Critical", threat>=50 AND certainty<50, "High", threat<50 AND certainty>=50, "Medium", true(), "Low") | table status, certainty, threat</query>
<option name="charting.fieldColors">{"Critical":0xbe1e2d,"High":0xf05a28,"Medium":0xfaaf40,"Low":0x4e6875}</option>
Thanks for all of your help. Greatly appreciated.
@vectra_tme - Glad you were able to find the solution with niketnilay's help. Please don't forget to click "Accept" to resolve your question and upvote any comments that were especially helpful. Thanks!
Based on what you provided, I have come up with the following but am still getting blue dots throughout the scatter plot
<panel>
<chart>
<search>
<query>index=* sourcetype=Vectra-CEF signature="hsc" $search$ | dedup src | search $hostseverity$ | table certainty,threat | eval range= case(threat >=50 AND certainty >=50, Red, threat >=50 AND certainty <50, Orange, threat <50 AND certainty >=50, Yellow, true(), Black)</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">scatter</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.maximumNumber">100</option>
<option name="charting.axisX.minimumNumber">0</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.maximumNumber">100</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="charting.fieldColors">{"Red":0xff0000,"Orange":0xFF4500,"Yellow":0xffff00,"Black":0x000000}</option>
</chart>
</panel>
If you are currently seeing only one color(blue) this implies you have only one series. You need to provide that series name as it appears in the legend of scatter chart to charting.fieldColors configuration. Also it seems your scatter plot query is not generating three ranges at all otherwise you would have seen three colors. If following is the final query for your scatter plot, please make sure certainty is on x-axis, threat is on y-axis and range is plotted on the graph.
| table range, certainty, threat
Alternatively, as I had mentioned, instead of fieldColors you can use seriesColors.
<option name="charting.seriesColors">[0xff0000,0xffff00,0xFF4500]</option>
However, I feel you should check your query and make sure the scatter chart is being populated correctly before you think about changing colors. (Refer to Splunk documentation on Scatter Chart: https://docs.splunk.com/Documentation/Splunk/latest/Viz/ScatterChart)
I am converting my answer to a comment so that until your issue is resolved, this flags for others to answer as well.