Splunk Search

Arranging column chart X-axis labels in static order

Pratyusha
Engager

Hi Everyone,

I have a column chart for the below query. As shown in the below screenshot, the x-axis label is sorted in alphabetical order, but my requirement is display it in a static order (critical,high,medium,low,informational) and in additional can we have unique color for the bar for each x-axis label (ex:critical:red, high:green). Can someone guide me on how to implement these changes. Appreciate your help in advance!!

Pratyusha_0-1702875842011.png

 

Query:

`notable`
| stats count by urgency

Labels (1)
0 Karma
1 Solution

dtburrows3
Builder

I was able to achieve this on my local instance by a stats aggregation by "severity" field and then doing a transpose of results so that the splunk chary visualization will display it this way.

Example of SPL:

<base_search>
    | stats 
        count as count
            by severity
    | transpose header_field=severity column_name=severity
    | fields + severity, critical, high, medium, low, informational

 
In the dashboard XML you should be able to add this option tag to your bar chart visualization to assign colors for each unique severity value.

<option name="charting.fieldColors">{"critical":0xFF0000,"high":0xFF7F50,"medium":0xFFBF00,"low":0xDFFF00,"informational":0x40E0D0}</option>

 
Screenshot of results.

dtburrows3_0-1702877861893.png


Full SPL used to replicate on my local instance:

| makeresults count=377
    | eval
        severity="high"
    | append
        [
            | makeresults count=1118
                | eval
                    severity="medium"
            ]
    | append
        [
            | makeresults count=119
                | eval
                    severity="critical"
            ]
    | append
        [
            | makeresults count=1001
                | eval
                    severity="low"
            ]
    | append
        [
            | makeresults count=41
                | eval
                    severity="informational"
            ]
            
    | stats 
        count as count
            by severity
    | transpose header_field=severity column_name=severity
    | fields + severity, critical, high, medium, low, informational

View solution in original post

Pratyusha
Engager

Thank You, this helped. 

0 Karma

dtburrows3
Builder

I was able to achieve this on my local instance by a stats aggregation by "severity" field and then doing a transpose of results so that the splunk chary visualization will display it this way.

Example of SPL:

<base_search>
    | stats 
        count as count
            by severity
    | transpose header_field=severity column_name=severity
    | fields + severity, critical, high, medium, low, informational

 
In the dashboard XML you should be able to add this option tag to your bar chart visualization to assign colors for each unique severity value.

<option name="charting.fieldColors">{"critical":0xFF0000,"high":0xFF7F50,"medium":0xFFBF00,"low":0xDFFF00,"informational":0x40E0D0}</option>

 
Screenshot of results.

dtburrows3_0-1702877861893.png


Full SPL used to replicate on my local instance:

| makeresults count=377
    | eval
        severity="high"
    | append
        [
            | makeresults count=1118
                | eval
                    severity="medium"
            ]
    | append
        [
            | makeresults count=119
                | eval
                    severity="critical"
            ]
    | append
        [
            | makeresults count=1001
                | eval
                    severity="low"
            ]
    | append
        [
            | makeresults count=41
                | eval
                    severity="informational"
            ]
            
    | stats 
        count as count
            by severity
    | transpose header_field=severity column_name=severity
    | fields + severity, critical, high, medium, low, informational
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...