Splunk Search

Is there a way to change the default colors of a column chart?

pwongcha
Explorer

Is there a way to change color on the chart to be yellow, pink, green, orange and blue instead of default ones (blue, yellow, orange, purple, and green)?

So far, I am able to accomplish these tasks
1. put date_wday as the column and displayed on the chart
2. put on the host on the x series.
3. display date_wday by monday - friday instead of alphabetically friday - wednesday

sourcetype="psoftapp-appsrv" host="csappprd*" 
earliest=-8d date_hour>= 9 date_hour<= 17 NOT date_wday=sunday NOT date_wday=saturday
| rex field=_raw "GetCertificate\]\(3\) Returning context. ID=(?[^,]*)" 
| search NOT (userID=PSAPPSRV OR userID=GUEST) 
| bucket _time span=1d
| stats count by _time, host, date_wday 
| xyseries host date_wday count  
| fields host monday tuesday wednesday thursday friday
0 Karma

arkadyz1
Builder

Look into charting.seriesColors option for your chart (cannot be edited from dashboard editor, has to be put directly into simple XML). Here is an example from "Dashboards and Visualizations" manual (I'm still using 6.3, so that's where I'm quoting from):

<chart>
    <searchName>My saved report</searchName>
    <option name="charting.seriesColors">
        [0xFF0000,0xFFFF00,0x00FF00]
    </option>
</chart>

I believe you can specify up to 30 colors, but do get the manual and check by yourself.

There is also a much more elaborate charting.myColorPalette... option family, but I never tried it myself.

0 Karma

pwongcha
Explorer

Ok I tried the dashboard and i can do this. So that means this can't be done via on demand search box...?

0 Karma

arkadyz1
Builder

I would guess that there is a setting somewhere under etc/system which could change the default, or maybe it's in one of the Splunk's Python files, but in general, no, you can't do that in the simple search box. There's no reason for it, too - search is a development tool, not an end product.

0 Karma

pwongcha
Explorer

I don't know how to change via "Simple XML source code"

Could you please guide me on that?

Does it mean you can't add any syntax to the search box?

0 Karma

arkadyz1
Builder

After you generate a dashboard (most probably a form), you can then edit the source directly. That's where you will have to find your chart and add the options.

0 Karma

somesoni2
Revered Legend

See the example of specifying custom colors based on field name here.

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/BuildandeditdashboardswithSimplifiedXML#Specif...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...