Splunk Search

How to change colors on bars of a chart according to column values?

nagar57
Communicator

I want to apply different colors on different bars according to my Column values.
My column values are: A,B,C. These will remain fixed.

I tried this:

    <search>
<query>index=<> sourcetype=<> source=<>
| stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C</query>
<earliest>$earnTime.earliest$</earliest>
<latest>$earnTime.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.minimumNumber">0</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">10</option>
<option name="charting.chart.bubbleMinimumSize">1</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.columnSpacing">20</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.fieldColors">{"A":0x009900, "B":0x0099CC, "C":0xCC6600}</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="height">198</option>
<option name="refresh.display">progressbar</option>

But my "A" value is not coming in the graph and getting aligned on x axis with the count.
Can someone please tell me where I am going wrong?
alt text

Labels (4)
0 Karma
1 Solution

niketn
Legend

@nagar57, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
 | stats count by channel
 | transpose 3 header_field=channel

Or else if you want to stick to your query, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
| stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C
| eval channel="count"
| fields channel A B C
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@nagar57, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
 | stats count by channel
 | transpose 3 header_field=channel

Or else if you want to stick to your query, try the following:

index=<> sourcetype=<> source=<> channel IN ("A","B","C")
| stats count(eval(channel="A")) as A count(eval(channel="B")) as B count(eval(channel="C")) as C
| eval channel="count"
| fields channel A B C
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nagar57
Communicator

@niketnilay I was able to figure out this workaround by my own. But I am not able to get one thing. Just like Pie charts we can give colors as ".serieColors" and it gets reflected automatically in the Chart. Then why Column/Bar charts don't behave like this.
And one last thing why the 1st column is going to the x-axis in your above solution or why I need to create a dummy 1st column so that other columns can align properly in the chart.?

niketn
Legend

charting.seriesColors is available for all charts. When you don't do transpose or eval(count(field)) as field you have only one series (which is shown as legend, in above case count). So there will be only one color for only one series i.e. count.

Think what are you plotting, how would chart know what is your x-axis and y-axis. Usually first column goes as x-axis and Other column names make the series/legend.

For example for if you do | timechart count by field, _time becomes x-axis and field values make the series or legends.

Hope it clarifies stuff! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

to4kawa
Ultra Champion
<query>| tstats count where index=<> sourcetype=<> source=<> by channel| where IN(channel,"A","B","C")</query>

your statistics result should have two columns, channel and count

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...