Splunk Search

Change color of pie chart based on percentage automatically

isha_rastogi
Path Finder

I want to change color of slices of pie chart based on the percentage values. slice that have highest percentage should be green and then less that blue and least red.
I don't have any range of percentages it will change automatically

Tags (4)
0 Karma
1 Solution

niketn
Legend

@isha_rastogi, based on the query and screenshot, you should sort the results of main search which returns v100, v200 and v300. Then you should use append to merge Remaining series in the end as 4th row in the table.

Currently you are applying | sort - Count after append which will also sorts Remaining series, which you always want as the last row in your table. Please try this out and seriesColors should work fine for you:

 <option name="charting.seriesColors">[#65a637, #6db7c6, #d93f3c, #000000]</option>

PS: As stated earlier seriesColor is depended on max number of series to be plotted and their sequence. So ensure that v100, v200 and v300 are always present.
Also while using inputlookup you can directly use where condition to filter on field value rather than another pipe with search so your inputlookup can be changed to the following:

| inputlookup names.csv where Systems="W"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@isha_rastogi, based on the query and screenshot, you should sort the results of main search which returns v100, v200 and v300. Then you should use append to merge Remaining series in the end as 4th row in the table.

Currently you are applying | sort - Count after append which will also sorts Remaining series, which you always want as the last row in your table. Please try this out and seriesColors should work fine for you:

 <option name="charting.seriesColors">[#65a637, #6db7c6, #d93f3c, #000000]</option>

PS: As stated earlier seriesColor is depended on max number of series to be plotted and their sequence. So ensure that v100, v200 and v300 are always present.
Also while using inputlookup you can directly use where condition to filter on field value rather than another pipe with search so your inputlookup can be changed to the following:

| inputlookup names.csv where Systems="W"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

isha_rastogi
Path Finder

@niketnilay It worked.

0 Karma

niketn
Legend

@isha_rastogi, Yay!!! Glad it worked 🙂

Since this was a very long comments thread, while converting my comments to answer it split into two. Please accept one of the Answer which you think addressed your needs and you can up vote the comments that have helped (since you can accept only one answer :)).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@isha_rastogi, you would need to sort the results in ascending or descending order for example following gives result with highest count first.

index=_internal sourcetype=splunkd log_level="*"
| stats count by log_level
| sort - count
| head 3

Then you can use Simple XML Chart configuration charting.seriesColors to color the series in Green, Blue and Red Colors:

<option name="charting.seriesColors">[#65a637, #6db7c6, #d93f3c]</option>

Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pr...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

isha_rastogi
Path Finder

@niketn

I've pie chart with version of product installed v100, v200, v300 and apart from this I have remaining instances which don't have product installed. I want color of Remaining would be same color or fixed color no matter what what count is and version slices change color based on count.

Suppose count of v100 is 200, v200 is 500 and v300 is 150. so highest would be green then blue and red but "remaining" should always be black no matter of count even if count is 250
I'm not able to send screenshots of pie chart

Query that I'm using is
earliest=-24h latest=now index=product | stats count by VER | join [|inputlookup names.csv| search Systems="W"] | stats count(Systems) AS Count by VER| append [inputlookup stations.csv | eval VER=Remaining|search Systems=W | stats count as "Total_stations"|join [inputlookup names.csv | search Systems=W|stats count as "deployed_stations"]| eval Count= Total_stations - deployed_stations| eval VER=if(isnull(VER),"Remaining_Stations",VER) | fields - deployed_stations,Total_stations ] | sort - Count

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you want green, blue red, then black, black ,black,black,black,black... then just tell it so

 index=_internal sourcetype=splunkd log_level="*"
 | stats count as logcount by log_level
 | sort - logcount

<option name="charting.seriesColors">[#40FF40, #3030FF, #FF3030, #000000,  #000000, #000000, #000000, #000000, #000000, #000000]</option>

You could also merge all the 4th+ records together into an "other" category...

 index=_internal sourcetype=splunkd log_level="*"
 | stats count as logcount by log_level
 | sort - logcount
 | streamstats count as recno
 | appendpipe 
    [| where recno > 3 
     | stats sum(logcount) as logcount 
     | eval log_level = "other" 
     | eval recno = 999
     ]
 | where recno<4 or recno=999 


<option name="charting.seriesColors">[#40FF40, #3030FF, #FF3030, #000000</option>
0 Karma

niketn
Legend

You can upload to some image sharing site and then embed the image using Image <img> button.

Do you have a limit on how many series are being plotted in pie like 5 or 10 ?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

isha_rastogi
Path Finder

@niketnilay Please find link of the Pie chart
https://goo.gl/photos/Rg2VBwcrGmBngbts9

I have only 4 series and 3 series not more than that

0 Karma

niketn
Legend

Looking at your query and screenshot, you just need to ensure that you apply sort Count on first query which returns V100, v200 and v300 and then append your "Remaining" series to the result. Instead of performing sort - Count in the end.

This way Remaining will always be 4th series. This way you can apply the seriesColors in your scenario

<option name="charting.seriesColors">[#65a637, #6db7c6, #d93f3c,#000000]</option>

Max number of series and sequence of series is quite important while using seriesColor. I believe, in your case it can be 4 or 3. Ensure that v100, v200 and v300 are always present even if the value is 0.

PS: While performing inputlookup you can add a where clause directly to filter on specific field rather than a separate pipe for search field name afterwards, i.e.

| inputlookup names.csv where Systems="W"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

isha_rastogi
Path Finder

@niketnilay your solution worked, but if I have 4 slices and I want one fix color for version 1 and for version 2, 3, 4 based on percentage. Any idea on how can I fix color for one slice and dynamic color scheme for others

0 Karma

niketn
Legend

@isha_rastogi, can you please provide your query and sample output so that it is more clear as to what you want to achieve.

Splunk gives charting.seriesColors for situations where series being plotted are in
1) fixed order and
2) always present in the result (should be 0 if no data is present).

In other cases where you know the field names you can use charting.fieldColors where you define field name and corresponding color as key value pair. You can refer to both in the the above link that I have provided.

If your situation is more complicated, you will have to provide more details of both your search with the fields it generates and their values, as requested.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...