@isha_rastogi, you would need to sort the results in ascending or descending order for example following gives result with highest count first.
index=_internal sourcetype=splunkd log_level="*" | stats count by log_level | sort - count | head 3
Then you can use Simple XML Chart configuration
charting.seriesColors to color the series in Green, Blue and Red Colors:
<option name="charting.seriesColors">[#65a637, #6db7c6, #d93f3c]</option>
Refer to Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pr...
@niketnilay your solution worked, but if I have 4 slices and I want one fix color for version 1 and for version 2, 3, 4 based on percentage. Any idea on how can I fix color for one slice and dynamic color scheme for others
@isha_rastogi, can you please provide your query and sample output so that it is more clear as to what you want to achieve.
charting.seriesColors for situations where series being plotted are in
1) fixed order and
2) always present in the result (should be 0 if no data is present).
In other cases where you know the field names you can use
charting.fieldColors where you define field name and corresponding color as key value pair. You can refer to both in the the above link that I have provided.
If your situation is more complicated, you will have to provide more details of both your search with the fields it generates and their values, as requested.
I've pie chart with version of product installed v100, v200, v300 and apart from this I have remaining instances which don't have product installed. I want color of Remaining would be same color or fixed color no matter what what count is and version slices change color based on count.
Suppose count of v100 is 200, v200 is 500 and v300 is 150. so highest would be green then blue and red but "remaining" should always be black no matter of count even if count is 250
I'm not able to send screenshots of pie chart
Query that I'm using is
earliest=-24h latest=now index=product | stats count by VER | join [|inputlookup names.csv| search Systems="W"] | stats count(Systems) AS Count by VER| append [inputlookup stations.csv | eval VER=Remaining|search Systems=W | stats count as "Totalstations"|join [inputlookup names.csv | search Systems=W|stats count as "deployedstations"]| eval Count= Totalstations - deployedstations| eval VER=if(isnull(VER),"RemainingStations",VER) | fields - deployedstations,Total_stations ] | sort - Count
You can upload to some image sharing site and then embed the image using Image
Do you have a limit on how many series are being plotted in pie like 5 or 10 ?
@niketnilay Please find link of the Pie chart
I have only 4 series and 3 series not more than that
Looking at your query and screenshot, you just need to ensure that you apply sort Count on first query which returns V100, v200 and v300 and then append your "Remaining" series to the result. Instead of performing sort - Count in the end.
This way Remaining will always be 4th series. This way you can apply the seriesColors in your scenario
<option name="charting.seriesColors">[#65a637, #6db7c6, #d93f3c,#000000]</option>
Max number of series and sequence of series is quite important while using seriesColor. I believe, in your case it can be 4 or 3. Ensure that v100, v200 and v300 are always present even if the value is 0.
PS: While performing inputlookup you can add a where clause directly to filter on specific field rather than a separate pipe for search field name afterwards, i.e.
| inputlookup names.csv where Systems="W"
If you want green, blue red, then black, black ,black,black,black,black... then just tell it so
index=_internal sourcetype=splunkd log_level="*" | stats count as logcount by log_level | sort - logcount <option name="charting.seriesColors">[#40FF40, #3030FF, #FF3030, #000000, #000000, #000000, #000000, #000000, #000000, #000000]</option>
You could also merge all the 4th+ records together into an "other" category...
index=_internal sourcetype=splunkd log_level="*" | stats count as logcount by log_level | sort - logcount | streamstats count as recno | appendpipe [| where recno > 3 | stats sum(logcount) as logcount | eval log_level = "other" | eval recno = 999 ] | where recno<4 or recno=999 <option name="charting.seriesColors">[#40FF40, #3030FF, #FF3030, #000000</option>
@isha_rastogi, based on the query and screenshot, you should sort the results of main search which returns
v300. Then you should use append to merge
Remaining series in the end as 4th row in the table.
Currently you are applying
| sort - Count after append which will also sorts Remaining series, which you always want as the last row in your table. Please try this out and seriesColors should work fine for you:
<option name="charting.seriesColors">[#65a637, #6db7c6, #d93f3c, #000000]</option>
PS: As stated earlier seriesColor is depended on max number of series to be plotted and their sequence. So ensure that v100, v200 and v300 are always present.
Also while using inputlookup you can directly use where condition to filter on field value rather than another pipe with search so your inputlookup can be changed to the following:
| inputlookup names.csv where Systems="W"