Re: Change column color if over a range

pinzer · ‎09-24-2010

Hi all, i need to change the color of a bar of the column chart if the value is higher than a number.
How can i do this?
My search query is:

eventtype="searchDC" Type="Audit Success" CategoryString="Logon/Logoff" | stats count by user

Thanks to all who can help me

southeringtonp · ‎09-26-2010

I'm not sure this is doable directly, but you can cheat by splitting your data into two series:

eventtype="searchDC" Type="Audit Success" CategoryString="Logon/Logoff"
| stats count by user
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields user,high,low

Replace 1000 with whatever you want your threshold number to be.

When you create your bar chart, set Stack Mode to 'stacked' and Multi-series mode to 'Combined' so that the empty bars don't leave gaps. The legend will also show two series ("high" and "low"), but you can always just turn the legend display off.

If you are using it in a dashboard and want a specific color, such as turning all of the "high" values red, take a look at this page: http://www.splunk.com/base/Documentation/4.1.5/Developer/AdvancedCharting

Change column color if over a range

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Change column color if over a range

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases