Dashboards & Visualizations

Trying to set colors for a pie chart based on text value of a field, with the count of the events for that text value.

Builder

Here is my search query.

            index=sdm host=sdm1
            | fields Level
            | stats values(Level), count by Level
            | sort Level
            | rename Level as Messages, count as Occurrences
            | eval Messages1=Messages." : ".Occurrences
            | table Messages1, Occurrences

Here are the XML chart options for the pie chart. I have tried multiple options; all failed.
Test 1

<option name="charting.fieldColors">{"SIGNIFICANT":0x39da2b,"ERROR":0xfdff00","SEVERE_ERROR":0xf70606,"EXIT":0xffffff}</option>

Test 2

<option name="charting.legend.labels">[SIGNIFICANT,ERROR,SEVERE_ERROR,EXIT]</option>
<option name="charting.seriesColors">[0x39da2b,0xfdff00,0xf70606,0xffffff]</option>

Test 3

<option name="charting.legend.labels">[ERROR,EXIT,SEVERE_ERROR,SIGNIFICANT]</option>
<option name="charting.seriesColors">[0xfdff00,0xffffff,0xf70606,0x39da2b]</option>

What is interesting and perplexing is that dependent upon the time selected in the Time Picker the colors displayed in the dashboard panel change. I don't have enough Karma to upload pics.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@genesiusj if you are creating labels for pie chart to include both name and count, then the label will not remain fixed and you would not be able to use charting.fieldColors. So

1) Either take out Occurences from label and then use charting.fieldColors

         index=sdm host=sdm1
         | fields Level
         | stats count as Occurences by Level
         | sort Level
         | rename Level as Message

2) Or change the query to have all the labels show up in the pie chart in the same sequence, (i.e. null fields should be added to result with Occurence as 0 and sorting should be by field names and not by Occurence count)

Refer to some of my previous answers:
https://answers.splunk.com/answers/734408/how-to-assign-fixed-colors-to-pie-chart-with-dinam.html
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@genesiusj if you are creating labels for pie chart to include both name and count, then the label will not remain fixed and you would not be able to use charting.fieldColors. So

1) Either take out Occurences from label and then use charting.fieldColors

         index=sdm host=sdm1
         | fields Level
         | stats count as Occurences by Level
         | sort Level
         | rename Level as Message

2) Or change the query to have all the labels show up in the pie chart in the same sequence, (i.e. null fields should be added to result with Occurence as 0 and sorting should be by field names and not by Occurence count)

Refer to some of my previous answers:
https://answers.splunk.com/answers/734408/how-to-assign-fixed-colors-to-pie-chart-with-dinam.html
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Builder

@niketnilay
Thanks, that worked. Since I would like to keep the occurrences (count) for each Level, I went with the charting.seriesColors. I used the SPL code from your
https://answers.splunk.com/answers/700109/can-you-help-me-with-a-problem-im-having-with-my-p.html
link.

Your SPL is really complex (for a newbie like myself - only Fundamentals 1 thus far). And I am trying to understand it more. Would you be able to direct me to some resources that would explain this more clearly? "Teach a man to fish...."

Again, thank you for the code and the quick response.
God bless,
Genesius

0 Karma

Builder

@niketnilay
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to Accept answers from those who have directed me down the correct path.
Apologies for the delay.

BTW, I want to mark your answer as Accept, but the check is above my comment, not yours. If you repost your comment, I should be able to accept it...I hope.

Thanks and God bless,
Genesius

0 Karma

SplunkTrust
SplunkTrust

@genesiusj I am glad the solution worked for you. Please go ahead and try to accept now as I see the comment is already converted as answer!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

@niketnilay
Done. Thanks again and God bless,
Genesius

0 Karma

Builder

Continued from original post.

This option worked for another panel in this dashboard with a bar chart.

    <option name="charting.fieldColors">{"SIGNIFICANT":0x39da2b,"ERROR":0xfdff00","SEVERE_ERROR":0xf70606,"EXIT":0xffffff}</option>

Using this query.

  index=sdm host=sdm*
                | eval Server = if(host="sdm1", "Prod", "Test")
                | stats
                  count(eval(Level="SIGNIFICANT")) as SIGNIFICANT
                  count(eval(Level="ERROR")) as ERROR
                  count(eval(Level="SEVERE_ERROR")) as SEVERE_ERROR
                  count(eval(Level="EXIT")) as EXIT
                  by Server

Thanks and God bless,
Genesius

0 Karma