Here is my search query.
index=sdm host=sdm1
| fields Level
| stats values(Level), count by Level
| sort Level
| rename Level as Messages, count as Occurrences
| eval Messages1=Messages." : ".Occurrences
| table Messages1, Occurrences
Here are the XML chart options for the pie chart. I have tried multiple options; all failed.
Test 1
<option name="charting.fieldColors">{"SIGNIFICANT":0x39da2b,"ERROR":0xfdff00","SEVERE_ERROR":0xf70606,"EXIT":0xffffff}</option>
Test 2
<option name="charting.legend.labels">[SIGNIFICANT,ERROR,SEVERE_ERROR,EXIT]</option>
<option name="charting.seriesColors">[0x39da2b,0xfdff00,0xf70606,0xffffff]</option>
Test 3
<option name="charting.legend.labels">[ERROR,EXIT,SEVERE_ERROR,SIGNIFICANT]</option>
<option name="charting.seriesColors">[0xfdff00,0xffffff,0xf70606,0x39da2b]</option>
What is interesting and perplexing is that dependent upon the time selected in the Time Picker the colors displayed in the dashboard panel change. I don't have enough Karma to upload pics.
@genesiusj if you are creating labels for pie chart to include both name and count, then the label will not remain fixed and you would not be able to use charting.fieldColors
. So
1) Either take out Occurences
from label and then use charting.fieldColors
index=sdm host=sdm1
| fields Level
| stats count as Occurences by Level
| sort Level
| rename Level as Message
2) Or change the query to have all the labels show up in the pie chart in the same sequence, (i.e. null fields should be added to result with Occurence as 0 and sorting should be by field names and not by Occurence count)
Refer to some of my previous answers:
https://answers.splunk.com/answers/734408/how-to-assign-fixed-colors-to-pie-chart-with-dinam.html
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html
@genesiusj if you are creating labels for pie chart to include both name and count, then the label will not remain fixed and you would not be able to use charting.fieldColors
. So
1) Either take out Occurences
from label and then use charting.fieldColors
index=sdm host=sdm1
| fields Level
| stats count as Occurences by Level
| sort Level
| rename Level as Message
2) Or change the query to have all the labels show up in the pie chart in the same sequence, (i.e. null fields should be added to result with Occurence as 0 and sorting should be by field names and not by Occurence count)
Refer to some of my previous answers:
https://answers.splunk.com/answers/734408/how-to-assign-fixed-colors-to-pie-chart-with-dinam.html
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html
@niketnilay
Thanks, that worked. Since I would like to keep the occurrences (count) for each Level, I went with the charting.seriesColors. I used the SPL code from your
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html
link.
Your SPL is really complex (for a newbie like myself - only Fundamentals 1 thus far). And I am trying to understand it more. Would you be able to direct me to some resources that would explain this more clearly? "Teach a man to fish...."
Again, thank you for the code and the quick response.
God bless,
Genesius
@niketnilay
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to Accept answers from those who have directed me down the correct path.
Apologies for the delay.
BTW, I want to mark your answer as Accept, but the check is above my comment, not yours. If you repost your comment, I should be able to accept it...I hope.
Thanks and God bless,
Genesius
@genesiusj I am glad the solution worked for you. Please go ahead and try to accept now as I see the comment is already converted as answer!
@niketnilay
Done. Thanks again and God bless,
Genesius
Continued from original post.
This option worked for another panel in this dashboard with a bar chart.
<option name="charting.fieldColors">{"SIGNIFICANT":0x39da2b,"ERROR":0xfdff00","SEVERE_ERROR":0xf70606,"EXIT":0xffffff}</option>
Using this query.
index=sdm host=sdm*
| eval Server = if(host="sdm1", "Prod", "Test")
| stats
count(eval(Level="SIGNIFICANT")) as SIGNIFICANT
count(eval(Level="ERROR")) as ERROR
count(eval(Level="SEVERE_ERROR")) as SEVERE_ERROR
count(eval(Level="EXIT")) as EXIT
by Server
Thanks and God bless,
Genesius