The original query: host="MEIPC" source="WinEventLog:Application" OR source="WinEventLog:Security" OR source="WinEventLog:System" |chart count by source
A could be solution I could not get to work:
| top limit=10 class showperc=f countfield="source"
| reverse
| transpose header_field="Class" column_name="Class"
| search class="source"
So I tried searching all over to change the color of the bars of each of 3 sources I gathered data from. I put it in the dashboard and I noticed that it groups it all under an encompassing source, without an individual option for each source. This is labeled under the X axis. However, when I try to change the color of the bars, only changing the color of count which is the Y axis changes the color of the bars. This confuses me because I would think that I can simply change the color options in the menus of dashboard for each individual X axis source but instead its the Y axis count that changes the color of the bars, and there is no option to change the coloration to the X axis source. What also confuses me, is when I look at statistics, there are 3 sources to gather the data from. Please leave a comment if you have the time, thank you so much Splunk Community!
Colours are assigned to series i.e. all bars from the same series are in the same colour. This is because of the way they are drawn in the chart viz i.e. they are drawn as a single shape for the whole series, not individual bars. If you want them to have different colours, they need to be different series. Think of the table of data, all data points in the same column of the table will have the same colour in the chart.