Splunk Search

Bar Chart Column Color Based on Value

Path Finder

I have a very simple bar chart that I'm trying to configure so that the bar colors turn red if the value for "FreeSpacePercent" is under 10, yellow if its between 10 and 20 and green if above 20. The chart displays the free space on various datastores in our vCenter environment. Here's my search:

sourcetype="csv" Datastore=* | table Datastore,FreeSpacePercent | sort FreeSpacePercent

I've looked at several different posts on this, but they all appear to rely on stats and counts. Thanks in advance.

Tags (4)
1 Solution

Revered Legend

Have a look at the solution of similar question.



If you're using simple xml, you can use something like this (you'll be charting the new fields in stacked mode)

   <searchString>sourcetype="csv" Datastore=* | eval redCritical = if(FreeSpacePercent &lt;= 15,FreeSpacePercent ,0) | eval yellowWarning = if(FreeSpacePercent &gt; 15 AND FreeSpacePercent &lt;=20,FreeSpacePercent ,0) | eval greenOK = if(FreeSpacePercent &gt; 20,FreeSpacePercent ,0) | table Datastore,redCritical,yellowWarning,greenOK</searchString>
    <option name="charting.legend.labels">[redCritical,yellowWarning,greenOK]</option>
    <option name="charting.seriesColors">[0xFF0000,0xFFFF00,0x00FF00]</option>
      <option name="charting.primaryAxisTitle.text">FreeSpacePercent</option>
      <option name="charting.chart.stacked">FreeSpacePercent</option>
      <option name="charting.chart">column</option>

View solution in original post

Revered Legend

Have a look at the solution of similar question.



If you're using simple xml, you can use something like this (you'll be charting the new fields in stacked mode)

   <searchString>sourcetype="csv" Datastore=* | eval redCritical = if(FreeSpacePercent &lt;= 15,FreeSpacePercent ,0) | eval yellowWarning = if(FreeSpacePercent &gt; 15 AND FreeSpacePercent &lt;=20,FreeSpacePercent ,0) | eval greenOK = if(FreeSpacePercent &gt; 20,FreeSpacePercent ,0) | table Datastore,redCritical,yellowWarning,greenOK</searchString>
    <option name="charting.legend.labels">[redCritical,yellowWarning,greenOK]</option>
    <option name="charting.seriesColors">[0xFF0000,0xFFFF00,0x00FF00]</option>
      <option name="charting.primaryAxisTitle.text">FreeSpacePercent</option>
      <option name="charting.chart.stacked">FreeSpacePercent</option>
      <option name="charting.chart">column</option>

Path Finder

Thanks so much.

0 Karma

Revered Legend

Add the sort command "| sort FreeSpacePercent " before the eval statements.

Path Finder

Ah ha! That worked! for some reason the >, <, = symbols worked but the &gt, etc ones in the XML above did not. Do you know how to get it to sort by FreeSpacePercent so that the lowest is on top? piping that to Sort FreeSpacePercent didn't do anything.

Revered Legend

Can you check if this query returns correct data? For each row there should be 4 fields: Datastore,redCritical, yellowWarning,greenOK and 2 out redCritical, yellowWarning,greenOK have value 0 and other 1 non-zero.

sourcetype="csv" Datastore=* | eval redCritical = if(FreeSpacePercent <= 15,FreeSpacePercent ,0) | eval yellowWarning = if(FreeSpacePercent > 15 AND FreeSpacePercent <=20,FreeSpacePercent ,0) | eval greenOK = if(FreeSpacePercent > 20,FreeSpacePercent ,0) | table Datastore,redCritical,yellowWarning,greenOK

Path Finder

This just generates a blank chart with a legend containing redCritical, yellowWarning and greenOK.

0 Karma

Revered Legend

Updated the query. In eval, you need to assign value of FreeSpacePercent if the criteria is met.

0 Karma

Path Finder

Here's the search with the working evals:

sourcetype="csv" Datastore=* | eval redCritical = if(FreeSpacePercent <= 15,Datastore,0) | eval yellowWarning = if(FreeSpacePercent > 15 AND FreeSpacePercent <=20,Datastore,0) | eval greenOK = if(FreeSpacePercent >20,Datastore,0) | table Datastore,FreeSpacePercent | Sort FreeSpacePercent

I just don't know what to do from here and that white paper really doesn't help...

0 Karma

Path Finder

I did see that post and was able to generate the "evals" I need to make this work. I just don't know how to actually get the chart to display those evaluated values. It's more the charting part than the eval part that I need help with and that post just says "read this white paper".

0 Karma
Get Updates on the Splunk Community!

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Index This | What gets bigger the more you remove?

June 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...