Splunk Enterprise Security

Can you help me with a problem i'm having with my pie chart?

chrisschum
Path Finder

So I'm having a strange issue that I'm hoping someone can help me with.

I have a pie chart with two goals:
1. Show the total number of Critical, High and Medium events (in each slice of the pie)
2. Keep the colors the same for Critical, High and Medium no matter what the result total of each (i.e. no matter which one has more events, the colors stay the same)

The search below (with relevant option) — This works great with the colors but does not show the total number in each slice.

index=Foo NOT severity IN (low, informational) STATUS=active DNS=Foo*
          | transaction signature
          | stats count by severity
          | eval severity= upper(severity)
          | fields severity, count

{CRITICAL:0Xff4d4d, HIGH:ffff66, MEDIUM:00cc66}

The search below fixes the number problem and shows the number total for each slice. However, the colors don't work at all. It's like it completely ignores my color selections

| transaction signature
          | stats count by severity
          | eval severity= upper(severity)
          | eval severity = count + " " + severity 
          | fields severity, count

{CRITICAL:0Xff4d4d, HIGH:ffff66, MEDIUM:00cc66}

Any ideas on how to get both to work

Thanks!

1 Solution

niketn
Legend

@chrisschum, as stated by @Anonymous you need to use charting.seriesColors option since your field names are not fixed. However, you would need to ensure following two things:
1) All series should always be present. Missing values may lead to wrong color being applied.
2) All series should always be in same sequence. Incorrect sequence may apply wrong color.

Following is a run anywhere search based on Splunk's _internal index which illustrates one such approach. It creates stats for three log levels i.e. INFO, WARN, ERROR. Does following:
1) Adds sequence number to log_level so that they are always sorted.
2) Uses Append to make sure dummy log levels with 0 count is added to results so that all series values are present.
3) Performs dedup on log level to get unique values for all series (this means in case a series is missing then 0 value result is retained).
4) Applies Sort on results.
5) Removes serial numbers from final results.

alt text

index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=log_level." (".count.")

Following is the simple XML dashboard example with above search that you can try out for series color for Pie Chart with Count in label.

<dashboard>
  <label>Pie Chart with Series Color</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=replace(log_level,"^\d+.\s(.*)","\1")
| eval log_level=log_level." (".count.")"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.0001</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="charting.seriesColors">["0x53A051","0xf8BE34","0xDC4E41"]</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@chrisschum, as stated by @Anonymous you need to use charting.seriesColors option since your field names are not fixed. However, you would need to ensure following two things:
1) All series should always be present. Missing values may lead to wrong color being applied.
2) All series should always be in same sequence. Incorrect sequence may apply wrong color.

Following is a run anywhere search based on Splunk's _internal index which illustrates one such approach. It creates stats for three log levels i.e. INFO, WARN, ERROR. Does following:
1) Adds sequence number to log_level so that they are always sorted.
2) Uses Append to make sure dummy log levels with 0 count is added to results so that all series values are present.
3) Performs dedup on log level to get unique values for all series (this means in case a series is missing then 0 value result is retained).
4) Applies Sort on results.
5) Removes serial numbers from final results.

alt text

index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=log_level." (".count.")

Following is the simple XML dashboard example with above search that you can try out for series color for Pie Chart with Count in label.

<dashboard>
  <label>Pie Chart with Series Color</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=replace(log_level,"^\d+.\s(.*)","\1")
| eval log_level=log_level." (".count.")"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.0001</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="charting.seriesColors">["0x53A051","0xf8BE34","0xDC4E41"]</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chrisschum
Path Finder

This worked! Thank you very much!

0 Karma

osakachan
Communicator

I had the same problem, worked for me with:

   . <option name="charting.seriesColors">[0x0066cc,0x993333,0x65a637]</option>

Because the order its all the same order in the table because alphabetic order, you had always same colors. 🙂

chrisschum
Path Finder

Thanks! I tried making that change but it didn't work for me. It still rearranged the colors on some of them.

0 Karma

osakachan
Communicator

Was just an example, niketnilay ♦ give you a full answer ^^

0 Karma

kmaron
Motivator

When you say the first one doesn't show the total number in each slice what do you mean? What does it show? It should be showing the count when you hover over the pie slice.

0 Karma

chrisschum
Path Finder

It shows the name for the slice of the pie and the percentage that slice represents. But doesn't show how many events make up that percentage,

Thanks!

0 Karma

chrisschum
Path Finder

Clarifying

{CRITICAL:0Xff4d4d, HIGH:0xffff66, MEDIUM:ox00cc66}
is an

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...