- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How do you customize colors in a bar chart?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been trying to customize the color of bars in a Bar chart as per the field values.
I have tried using eval/if, case as per suggestions in Splunk answers but none of it helps.
To edit the source,I applied charting.fieldcolors and charting.seriesColors but the color of bars in dashboard doesn't change.
| `xyz`
| search comment=WAA OR
comment=CWMW OR
comment=PHSH OR
comment=PHSHMA OR
comment=PHSHWS OR
comment=IM OR
comment=3PI OR
comment=Other | replace WAA with "A" in comment| replace CWMW with "B" in comment| replace PHSH with "C" in comment| replace PHSHMA with "D" in comment | replace PHSHWS with "E" in comment| replace IM with "F" in comment| replace 3PI with "G" in comment
| stats count by comment | eventstats sum(count) as perc | eval perc=round(count*100/perc,2)
|eval v1=if(comment="A","A",1)
|eval v2=if(comment="B","B",2)
|eval v3 =if(comment="C","C",3)
|eval v4=if(comment="D","D",4)
|eval v5=if(comment="E","E",5)
|eval v6=if(comment="F","F",6)
| table comment perc
Note that the chart is stacked.
I have tried all the solutions in splunk.answers, but nothing works
xml code :
{"v1":0xFF0000,"v2":0xFFFF00,"v3":0x00FF00,"v4":0xFF0000,"v5":0xFFFF00,"v6":0x00FF00}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@snigdhasaxena before you work with coloring fields, there are some of the things you should look at in your existing query
1) Move search filters to base search
2) replace should be after stats
3) eval v1, v2... do not seem to add any value as you are dropping the fields.
4) seems like you are better off using top command instead of using eventstats to calculate percent.
FYI, Your existing query should show colors if you use pie chart visualization, but not column or bar chart which needs a transpose of axis.
Following is an example with Splunk's _internal index where I have used 3 components instead of 7 comment values that you have used.
index=_internal sourcetype=splunkd component IN ("Metrics","PeriodicHealthReporter","ModularInputs")
| top 3 component showperc=t showcount=f
| eval percent=round(percent,2)
| fields - _*
| transpose 3 header_field=component column_name=component
PS: Output of first three command should be similar to what you have in your current search.
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@snigdhasaxena before you work with coloring fields, there are some of the things you should look at in your existing query
1) Move search filters to base search
2) replace should be after stats
3) eval v1, v2... do not seem to add any value as you are dropping the fields.
4) seems like you are better off using top command instead of using eventstats to calculate percent.
FYI, Your existing query should show colors if you use pie chart visualization, but not column or bar chart which needs a transpose of axis.
Following is an example with Splunk's _internal index where I have used 3 components instead of 7 comment values that you have used.
index=_internal sourcetype=splunkd component IN ("Metrics","PeriodicHealthReporter","ModularInputs")
| top 3 component showperc=t showcount=f
| eval percent=round(percent,2)
| fields - _*
| transpose 3 header_field=component column_name=component
PS: Output of first three command should be similar to what you have in your current search.
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, it worked for me 🙂
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
