Re: Change column color if over a range

pinzer · ‎09-24-2010

Hi all, i need to change the color of a bar of the column chart if the value is higher than a number.
How can i do this?
My search query is:

eventtype="searchDC" Type="Audit Success" CategoryString="Logon/Logoff" | stats count by user

Thanks to all who can help me

southeringtonp · ‎09-26-2010

I'm not sure this is doable directly, but you can cheat by splitting your data into two series:

eventtype="searchDC" Type="Audit Success" CategoryString="Logon/Logoff"
| stats count by user
| eval high=if(count>1000,count,0)
| eval low=count-high
| fields user,high,low

Replace 1000 with whatever you want your threshold number to be.

When you create your bar chart, set Stack Mode to 'stacked' and Multi-series mode to 'Combined' so that the empty bars don't leave gaps. The legend will also show two series ("high" and "low"), but you can always just turn the legend display off.

If you are using it in a dashboard and want a specific color, such as turning all of the "high" values red, take a look at this page: http://www.splunk.com/base/Documentation/4.1.5/Developer/AdvancedCharting

Change column color if over a range

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...