Solved: Re: Can you help me with a problem i'm having with...

chrisschum · ‎11-15-2018

So I'm having a strange issue that I'm hoping someone can help me with.

I have a pie chart with two goals:
1. Show the total number of Critical, High and Medium events (in each slice of the pie)
2. Keep the colors the same for Critical, High and Medium no matter what the result total of each (i.e. no matter which one has more events, the colors stay the same)

The search below (with relevant option) — This works great with the colors but does not show the total number in each slice.

index=Foo NOT severity IN (low, informational) STATUS=active DNS=Foo*
          | transaction signature
          | stats count by severity
          | eval severity= upper(severity)
          | fields severity, count

{CRITICAL:0Xff4d4d, HIGH:ffff66, MEDIUM:00cc66}

The search below fixes the number problem and shows the number total for each slice. However, the colors don't work at all. It's like it completely ignores my color selections

| transaction signature
          | stats count by severity
          | eval severity= upper(severity)
          | eval severity = count + " " + severity 
          | fields severity, count

{CRITICAL:0Xff4d4d, HIGH:ffff66, MEDIUM:00cc66}

Any ideas on how to get both to work

Thanks!

niketn · ‎11-17-2018

@chrisschum, as stated by @Anonymous you need to use charting.seriesColors option since your field names are not fixed. However, you would need to ensure following two things:
1) All series should always be present. Missing values may lead to wrong color being applied.
2) All series should always be in same sequence. Incorrect sequence may apply wrong color.

Following is a run anywhere search based on Splunk's _internal index which illustrates one such approach. It creates stats for three log levels i.e. INFO, WARN, ERROR. Does following:
1) Adds sequence number to log_level so that they are always sorted.
2) Uses Append to make sure dummy log levels with 0 count is added to results so that all series values are present.
3) Performs dedup on log level to get unique values for all series (this means in case a series is missing then 0 value result is retained).
4) Applies Sort on results.
5) Removes serial numbers from final results.

index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=log_level." (".count.")

Following is the simple XML dashboard example with above search that you can try out for series color for Pie Chart with Count in label.

<dashboard>
  <label>Pie Chart with Series Color</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=replace(log_level,"^\d+.\s(.*)","\1")
| eval log_level=log_level." (".count.")"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.0001</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="charting.seriesColors">["0x53A051","0xf8BE34","0xDC4E41"]</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎11-17-2018

@chrisschum, as stated by @Anonymous you need to use charting.seriesColors option since your field names are not fixed. However, you would need to ensure following two things:
1) All series should always be present. Missing values may lead to wrong color being applied.
2) All series should always be in same sequence. Incorrect sequence may apply wrong color.

Following is a run anywhere search based on Splunk's _internal index which illustrates one such approach. It creates stats for three log levels i.e. INFO, WARN, ERROR. Does following:
1) Adds sequence number to log_level so that they are always sorted.
2) Uses Append to make sure dummy log levels with 0 count is added to results so that all series values are present.
3) Performs dedup on log level to get unique values for all series (this means in case a series is missing then 0 value result is retained).
4) Applies Sort on results.
5) Removes serial numbers from final results.

index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=log_level." (".count.")

Following is the simple XML dashboard example with above search that you can try out for series color for Pie Chart with Count in label.

<dashboard>
  <label>Pie Chart with Series Color</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level IN ("INFO","WARN","ERROR")
| stats count by log_level 
| eval log_level=case(log_level=="INFO","1. INFO",log_level=="WARN","2. WARN",log_level=="ERROR","3. ERROR") 
| append 
    [| makeresults 
    | fields - _time 
    | eval data="log_level=\"1. INFO\",count=0;log_level=\"2. WARN\",count=0;log_level=\"3. ERROR\",count=0;" 
    | makemv data delim=";" 
    | mvexpand data 
    | rename data as _raw 
    | KV 
    | fields - _raw]
| dedup log_level
| sort log_level
| eval log_level=replace(log_level,"^\d+.\s(.*)","\1")
| eval log_level=log_level." (".count.")"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.0001</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="charting.seriesColors">["0x53A051","0xf8BE34","0xDC4E41"]</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

chrisschum · ‎11-19-2018

This worked! Thank you very much!

osakachan · ‎11-16-2018

I had the same problem, worked for me with:

   . <option name="charting.seriesColors">[0x0066cc,0x993333,0x65a637]</option>

Because the order its all the same order in the table because alphabetic order, you had always same colors. 🙂

chrisschum · ‎11-19-2018

Thanks! I tried making that change but it didn't work for me. It still rearranged the colors on some of them.

osakachan · ‎11-19-2018

Was just an example, niketnilay ♦ give you a full answer ^^

kmaron · ‎11-15-2018

When you say the first one doesn't show the total number in each slice what do you mean? What does it show? It should be showing the count when you hover over the pie slice.

chrisschum · ‎11-15-2018

It shows the name for the slice of the pie and the percentage that slice represents. But doesn't show how many events make up that percentage,

Thanks!

chrisschum · ‎11-15-2018

Clarifying

{CRITICAL:0Xff4d4d, HIGH:0xffff66, MEDIUM:ox00cc66}
is an

Can you help me with a problem i'm having with my pie chart?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services