Splunk Search

Chart colors by search values

Communicator

I have a column chart showing event counts based on host name from two different indexes:

index="main" OR index="wineventlog" | stats count by host

What I would like to achieve is to be able to show the hosts from the main index in one color and the hosts from wineventlog index as a different color.

I've used something like:

  (index="main" OR index="wineventlog") 
 | chart count as total by host,index
 | eval redCount = if(index=="main",total, 0) 
 | eval greenCount = if(index=="wineventlog", total, 0) 
 | fields host redCount greenCount

However all hosts were returned with a 0 value.

Any suggestions greatly appreciated.

0 Karma
1 Solution

Communicator

After reviewing the various reposes (thank you all for contributing) and combing various aspects, I have been able to come up with the solution I was after.

 (index="main" OR index="wineventlog") 
    | stats count as total by host,index 
    | eval host=lower(host) 
    | sort host 
    | eval Linux = if(index=="main",total, 0) 
    | eval Windows = if(index=="wineventlog", total, 0) 
    | fields host Linux Windows

This results in a column chart and when altering the formatting to be a stacked column chart and setting the colours

<option name="charting.seriesColors">[0xC53151,0x0066FF]</option>

I have the chart I was after showing the number of events per host with linux hosts in red and windows in blue.

Again, thank you for your contributions.

View solution in original post

0 Karma

Communicator

After reviewing the various reposes (thank you all for contributing) and combing various aspects, I have been able to come up with the solution I was after.

 (index="main" OR index="wineventlog") 
    | stats count as total by host,index 
    | eval host=lower(host) 
    | sort host 
    | eval Linux = if(index=="main",total, 0) 
    | eval Windows = if(index=="wineventlog", total, 0) 
    | fields host Linux Windows

This results in a column chart and when altering the formatting to be a stacked column chart and setting the colours

<option name="charting.seriesColors">[0xC53151,0x0066FF]</option>

I have the chart I was after showing the number of events per host with linux hosts in red and windows in blue.

Again, thank you for your contributions.

View solution in original post

0 Karma

New Member

Hi Balcv,

I used index="_internal" since i haven't index="main" on my Splunk environment and just rename it to "index=main". Basically to answer your question, you can manually assign whatever color you want depending on the field name in your search. To do that you need to add new option name parameters for "charting.fieldColors" on your XML Dashboard.

<option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>

Hex color values:
FF0000 = Red
008000= Green

Below is the search string i used.

index="internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE
internal" AS "main"

Try this full XML Code below so you can see and test it..

<dashboard>
  <label>Column Chart (Manual change color depending on the field name on XML)</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE_internal" AS "main"</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>
        <option name="charting.legend.placement">top</option>
      </chart>
    </panel>
  </row>
</dashboard>

Let me know if this answer your question. Thanks

Kelz

0 Karma

Legend

Hi balcv,
try something like this

 (index="main" OR index="wineventlog") 
| stats count(eval(if(index=main,1,0))) AS redCount count(eval(if(index=wineventlog))) AS greeCount BY host
| table host redCount greenCount

Bye.
Giuseppe

0 Karma

Communicator

Thanks @gcusello. Unfortunatley this produced errors in the stats statement telling me the eval statement is invalid. Thanks anyway.

0 Karma

New Member

We can use table formatting of colors.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/TableFormatsFormatting

Please check if this helps.

Regards,
Santosh

0 Karma

Communicator

Will do. Thanks.

0 Karma