Solved: Pie chart colors not changing when only one value

power12 · ‎03-04-2024

I have a query where I am counting the PASS and fail and displaying it as a pie-chart.Also I modified the search so that it displays the count and status .When the status field which has pass and fail values the pie chart displays green for pass and red for fail as expected but when there is only pass it displays red not green

Attached is the screenshot

 <chart>
        <search>
          <query>index="abc"

| rex field=source "ame\/(?&lt;Type&gt;[^\/]+)" 
|search Type=$tok_type$
| rex field=_raw "(?i)^[^ ]* (?P&lt;status&gt;.+)" 
| stats latest(status) as status by host 
| stats count by status
 | eval chart = count + " " + status | fields chart, count</query>
          <earliest>$tok_time.earliest$</earliest>
          <latest>$tok_time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
           <option name="charting.legend.labels">[FAIL,PASS]</option>
        <option name="charting.seriesColors">[#BA0F30,#116530]</option>
        <option name="refresh.display">progressbar</option>
        <option name="charting.chart.showPercent">true</option>
      </chart>

Thanks in Advance

bowesmana · ‎03-04-2024

The problem that seriesColours is just a list of colours that are used in order, so if there are two rows, the FAIL row is always first, so the first colour in the series applies.

I believe the only way to solve this is by adding a <done> clause after the search to calculate what the series colours should be and then use the token, like this

<search>
...
  <done>
    <eval token="series_colour">case($job.resultCount$=2, "#BA0F30,#116530", $job.resultCount$=1 AND match($result.chart$,"FAIL"), "#BA0F30", $job.resultCount$=1 AND match($result.chart$,"PASS"), "#116530")</eval>
  </done>
</search>
...
<option name="charting.seriesColors">[$series_colour$]</option>

So, the eval part of the done clause will check if there are two rows, then the series has two values, otherwise it checks the chart field to see if it is FAIL or PASS and sets the single series values as appropriate.

Then in the seriesColors statement, use the token.

View solution in original post

power12 · ‎03-08-2024

@bowesmana that worked thank you

bowesmana · ‎03-04-2024

The problem that seriesColours is just a list of colours that are used in order, so if there are two rows, the FAIL row is always first, so the first colour in the series applies.

I believe the only way to solve this is by adding a <done> clause after the search to calculate what the series colours should be and then use the token, like this

<search>
...
  <done>
    <eval token="series_colour">case($job.resultCount$=2, "#BA0F30,#116530", $job.resultCount$=1 AND match($result.chart$,"FAIL"), "#BA0F30", $job.resultCount$=1 AND match($result.chart$,"PASS"), "#116530")</eval>
  </done>
</search>
...
<option name="charting.seriesColors">[$series_colour$]</option>

So, the eval part of the done clause will check if there are two rows, then the series has two values, otherwise it checks the chart field to see if it is FAIL or PASS and sets the single series values as appropriate.

Then in the seriesColors statement, use the token.

Pie chart colors not changing when only one value

XML

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation