Splunk Search

How do I change the color of each individual bar in a visual chart from a single query?

DataMechanic
Engager

The original query: host="MEIPC" source="WinEventLog:Application" OR source="WinEventLog:Security" OR source="WinEventLog:System" |chart count by source


A could be solution I could not get to work:

| top limit=10 class showperc=f countfield="source"
| reverse
| transpose header_field="Class" column_name="Class"
| search class="source"

So I tried searching all over to change the color of the bars of each of 3 sources I gathered data from. I put it in the dashboard and I noticed that it groups it all under an encompassing source, without an individual option for each source. This is labeled under the X axis. However, when I try to change the color of the bars, only changing the color of count which is the Y axis changes the color of the bars. This confuses me because I would think that I can simply change the color options in the menus of dashboard for each individual  X axis source but instead its the Y axis count that changes the color of the bars, and there is no option to change the coloration to the X axis source. What also confuses me, is when I look at statistics, there are 3 sources to gather the data from. Please leave a comment if you have the time, thank you so much Splunk Community!

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Colours are assigned to series i.e. all bars from the same series are in the same colour. This is because of the way they are drawn in the chart viz i.e. they are drawn as a single shape for the whole series, not individual bars. If you want them to have different colours, they need to be different series. Think of the table of data, all data points in the same column of the table will have the same colour in the chart.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...