Splunk Enterprise Security

Can you help me with a problem i'm having with my pie chart?

chrisschum
Path Finder

So I'm having a strange issue that I'm hoping someone can help me with.

I have a pie chart with two goals:
1. Show the total number of Critical, High and Medium events (in each slice of the pie)
2. Keep the colors the same for Critical, High and Medium no matter what the result total of each (i.e. no matter which one has more events, the colors stay the same)

The search below (with relevant option) — This works great with the colors but does not show the total number in each slice.

index=Foo NOT severity IN (low, informational) STATUS=active DNS=Foo*
          | transaction signature
          | stats count by severity
          | eval severity= upper(severity)
          | fields severity, count

{CRITICAL:0Xff4d4d, HIGH:ffff66, MEDIUM:00cc66}

The search below fixes the number problem and shows the number total for each slice. However, the colors don't work at all. It's like it completely ignores my color selections

| transaction signature
          | stats count by severity
          | eval severity= upper(severity)
          | eval severity = count + " " + severity 
          | fields severity, count

{CRITICAL:0Xff4d4d, HIGH:ffff66, MEDIUM:00cc66}

Any ideas on how to get both to work

Thanks!

1 Solution

niketn
Legend

@chrisschum, as stated by @elpred0 you need to use charting.seriesColors option since your field names are not fixed. However, you would need to ensure following two things:
1) All series should always be present. Missing values may lead to wrong color being applied.
2) All series should always be in same sequence. Incorrect sequence may apply wrong color.

Following is a run anywhere search based on Splunk's _internal index which illustrates one such approach. It creates stats for three log levels i.e. INFO, WARN, ERROR. Does following:
1) Adds sequence number to log_level so that they are always sorted.
2) Uses Append to make sure dummy log levels with 0 count is added to results so that all series values are present.
3) Performs dedup on log level to get unique values for all series (this means in case a series is missing then 0 value result is retained).
4) Applies Sort on results.
5) Removes serial numbers from final results.

alt text

index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=log_level." (".count.")

Following is the simple XML dashboard example with above search that you can try out for series color for Pie Chart with Count in label.

<dashboard>
  <label>Pie Chart with Series Color</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=replace(log_level,"^\d+.\s(.*)","\1")
| eval log_level=log_level." (".count.")"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.0001</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="charting.seriesColors">["0x53A051","0xf8BE34","0xDC4E41"]</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@chrisschum, as stated by @elpred0 you need to use charting.seriesColors option since your field names are not fixed. However, you would need to ensure following two things:
1) All series should always be present. Missing values may lead to wrong color being applied.
2) All series should always be in same sequence. Incorrect sequence may apply wrong color.

Following is a run anywhere search based on Splunk's _internal index which illustrates one such approach. It creates stats for three log levels i.e. INFO, WARN, ERROR. Does following:
1) Adds sequence number to log_level so that they are always sorted.
2) Uses Append to make sure dummy log levels with 0 count is added to results so that all series values are present.
3) Performs dedup on log level to get unique values for all series (this means in case a series is missing then 0 value result is retained).
4) Applies Sort on results.
5) Removes serial numbers from final results.

alt text

index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=log_level." (".count.")

Following is the simple XML dashboard example with above search that you can try out for series color for Pie Chart with Count in label.

<dashboard>
  <label>Pie Chart with Series Color</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=replace(log_level,"^\d+.\s(.*)","\1")
| eval log_level=log_level." (".count.")"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.0001</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="charting.seriesColors">["0x53A051","0xf8BE34","0xDC4E41"]</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chrisschum
Path Finder

This worked! Thank you very much!

0 Karma

osakachan
Communicator

I had the same problem, worked for me with:

   . <option name="charting.seriesColors">[0x0066cc,0x993333,0x65a637]</option>

Because the order its all the same order in the table because alphabetic order, you had always same colors. 🙂

chrisschum
Path Finder

Thanks! I tried making that change but it didn't work for me. It still rearranged the colors on some of them.

0 Karma

osakachan
Communicator

Was just an example, niketnilay ♦ give you a full answer ^^

0 Karma

kmaron
Motivator

When you say the first one doesn't show the total number in each slice what do you mean? What does it show? It should be showing the count when you hover over the pie slice.

0 Karma

chrisschum
Path Finder

It shows the name for the slice of the pie and the percentage that slice represents. But doesn't show how many events make up that percentage,

Thanks!

0 Karma

chrisschum
Path Finder

Clarifying

{CRITICAL:0Xff4d4d, HIGH:0xffff66, MEDIUM:ox00cc66}
is an

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...