Splunk Search

How to change colors on bars of a chart according to column values?

nagar57
Communicator

I want to apply different colors on different bars according to my Column values.
My column values are: A,B,C. These will remain fixed.

I tried this:

    <search>
<query>index=<> sourcetype=<> source=<>
| stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C</query>
<earliest>$earnTime.earliest$</earliest>
<latest>$earnTime.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">10</option>
<option name="charting.chart.bubbleMinimumSize">1</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.columnSpacing">20</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.fieldColors">{"A":0x009900, "B":0x0099CC, "C":0xCC6600}</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="height">198</option>
<option name="refresh.display">progressbar</option>

But my "A" value is not coming in the graph and getting aligned on x axis with the count.
Can someone please tell me where I am going wrong?
alt text

Labels (4)
0 Karma
1 Solution

niketn
Legend

@nagar57, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
 | stats count by channel
 | transpose 3 header_field=channel

Or else if you want to stick to your query, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
| stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C
| eval channel="count"
| fields channel A B C
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@nagar57, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
 | stats count by channel
 | transpose 3 header_field=channel

Or else if you want to stick to your query, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
| stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C
| eval channel="count"
| fields channel A B C
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nagar57
Communicator

@niketnilay I was able to figure out this workaround by my own. But I am not able to get one thing. Just like Pie charts we can give colors as ".serieColors" and it gets reflected automatically in the Chart. Then why Column/Bar charts don't behave like this.
And one last thing why the 1st column is going to the x-axis in your above solution or why I need to create a dummy 1st column so that other columns can align properly in the chart.?

niketn
Legend

charting.seriesColors is available for all charts. When you don't do transpose or eval(count(field)) as field you have only one series (which is shown as legend, in above case count). So there will be only one color for only one series i.e. count.

Think what are you plotting, how would chart know what is your x-axis and y-axis. Usually first column goes as x-axis and Other column names make the series/legend.

For example for if you do | timechart count by field, _time becomes x-axis and field values make the series or legends.

Hope it clarifies stuff! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

to4kawa
Ultra Champion
<query>| tstats count where index=<> sourcetype=<> source=<> by channel| where IN(channel,"A","B","C")</query>

your statistics result should have two columns, channel and count

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...