Re: Bar color based on value on chart

karakutu · ‎07-20-2017

Hi everbody

i want to create color bar chart which color change based value.
i see different example for stats but there is no example for chart

can i create chart with value based color?

index=main sourcetype="Perfmon:Free
Disk Space" counter="% Free Space"
|chart avg(Value) by host | eval
redCount = if(Value>80,Value,0)
| eval yellowCount = if(Value > 70 AND Value>15,Value,0)
| eval greenCount = if(Value>=15, Value, 0) | fields -
Value

karakutu · ‎07-21-2017

i did it

 <chart>
    <searchString>index=main sourcetype="Perfmon:Free Disk Space" counter="% Free Space"  | chart avg(Value) as FreeSpacePercent by host |sort - FreeSpacePercent 
    | eval redCritical = if(FreeSpacePercent >= 85,FreeSpacePercent ,0) 
    | eval yellowWarning = if(FreeSpacePercent > 55 AND FreeSpacePercent <=84,FreeSpacePercent ,0) 
    | eval greenOK = if(FreeSpacePercent < 54,FreeSpacePercent ,0) 
    | table Datastore,redCritical,yellowWarning,greenOK</searchString>
     <option name="charting.legend.labels">[redCritical,yellowWarning,greenOK]</option>
     <option name="charting.seriesColors">[0xFF0000,0xFFFF00,0x00FF00]</option>
       <option name="charting.primaryAxisTitle.text">FreeSpacePercent</option>
       <option name="charting.chart.stacked">FreeSpacePercent</option>
       <option name="charting.chart">column</option>
</chart>

JDukeSplunk · ‎07-21-2017

Nice!

I tinkered with it a little to combine host and drive letter. I also reversed green/red so that lower percent free space will show up as critical. I also rounded off the decimal and instead of using an average, I am using "last" value. Since "last" is a more accurate representation of the servers current disk usage.

sourcetype="Perfmon:Free Disk Space" counter="% Free Space" NOT instance=_total
|eval host=host." ".instance
| chart eval(round(last(Value)/1,0)) as FreeSpacePercent by host
|sort - FreeSpacePercent
| eval greenOK = if(FreeSpacePercent >= 85,FreeSpacePercent ,0)
| eval yellowWarning = if(FreeSpacePercent > 55 AND FreeSpacePercent <=84,FreeSpacePercent ,0)
| eval redCritical = if(FreeSpacePercent < 54,FreeSpacePercent ,0)
| table host,redCritical,yellowWarning,greenOK

JDukeSplunk · ‎07-20-2017

So.. This will be incomplete but maybe some combination of this search using rangemap and stats.

index=main sourcetype="Perfmon:Free Disk Space" counter="% Free Space" 
|stats avg(Value) as Freespace by host 
|rangemap field=Freespace Green=80-100, Yellow=11-79, Red=0-10
|stats count(eval(range="Red")) as Red count(eval(range="Yellow")) as Yellow count(eval(range="Green")) as Green

And the dashboard options shown here.

http://docs.splunk.com/Documentation/Splunk/6.1/Viz/BuildandeditdashboardswithSimplifiedXML#Specify_...

<option name="charting.fieldColors">
  {"Red": 0xFF0000, "Yellow": 0xFF9900, "Green":0x009900, "NULL":0xC4C4C0}
</option>

karakutu · ‎07-21-2017

why we need to use stats twice?

this search query give only one bar. however i have more than one hosts.

i want to show the diskspace status. if the disk 80% prozent full than i want to change the color of bar.

JDukeSplunk · ‎07-21-2017

I thought you wanted a summary count for all your hosts.

Anyway, try this, and combine with this article for colors. http://docs.splunk.com/Documentation/Splunk/6.1/Viz/BuildandeditdashboardswithSimplifiedXML#Specify_...
Remove the "instance" if you want all disks.

index=main sourcetype="Perfmon:Free Disk Space" counter="% Free Space" instance=C:
| chart avg(Value) as PercentFree by host |sort - PercentFree

Bar color based on value on chart

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...