Splunk Search

Why is "charting.fieldColors" not working?

leomedina
Explorer

Hello all,

I'm in a pickle here... I've been trying to get the following "charting.fieldColors" changed but for some reason, it isn't working. Greatly appreciate the second set of eyes. I've tried using single quotes and HEX as well but still can't seem to get to change.

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.fieldColors">{"Success":9BE8AB, "Error":E87D6F}</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">none</option>            

Thanks!

niketn
Legend

@leomedina.... you are missing 0x before the hex color codes

    <option name="charting.fieldColors">{"Success":0x9BE8AB, "Error":0xE87D6F}</option>

You can explore seriesColors as alternative to fieldColors if you do not want to use the names of the fields. This is more like coloring the series based on sequence i.e. first series will get 0x9BE8AB and second 0xE87D6F. If you have more than two series and only two colors defined in seriesColors then third series will pick 0x9BE8AB and so on.

    <option name="charting.seriesColors">[0x9BE8AB, 0xE87D6F]</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lakshmisri
New Member

I gave with 0x but still it is not coming up. The bar chart in my case is horizontal display as opposed to vertical ones

0 Karma

niketn
Legend

@lakshmisri, so what I understand is that you are using Bar Chart and not Column chart.
The Simple XML Configuration charting.fieldColors or charting.seriesColors should be applicable to Bar Chart as well. Make sure field names used in chart configuration are the same as field in the Splunk search.

Refer to following documentation for the same. You can see that field name is all upper case in the search (see Legends i.e. ERROR etc.) as well as chart configuration.

Also refer to Chart Configuration reference, for some special characters in the field names that need to be escaped.http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pro...

Can you give your current search query or field name? Also have you tried with seriesColors option, whether that would work for your use case.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lakshmisri
New Member

| stats sum(td_cnt) as td_count, sum(fd_count) as fd_count by category | eval Total = td_cnt+ fd_count| sort category | table category Total |eval Total = round(Total/1000, 0)

Basically if i apply for total it is working but for every category am trying to get a color

0 Karma

niketn
Legend

I hope you understand the difference between fieldColors and seriesColors.

If you split by category you will have to know each field name to apply the fieldColor (you can check out what legend is displayed to come up with Field Names for fieldColor).

If there are two many fields or you do not have fixed field names you should better use seriesColors.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

lakshmisri
New Member

I tried both of these. It is just taking the standard color and not getting applied. Hence not sure how to address it.

0 Karma

niketn
Legend

Based on the details so far, your field names are td_cnt, fd_count and Total. Is this correct?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

lakshmisri
New Member

Yes finally am showing the Total by Category. So I need to apply the color for the Category

0 Karma

niketn
Legend

Have you tried something like following?

<option name="charting.fieldColors">{"td_cnt":0x9BE8AB, "fd_count ":0xE87D6F,"Total":0xFF0000}</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

lakshmisri
New Member

I want or the values for the category

0 Karma

niketn
Legend

I am not grasping your request. Do you have fixed field names or not? Can you paste sample output of your query?

In case you do not know your field names your only option would be to use seriesColors instead.

<option name="charting.seriesColors">[0x9BE8AB, 0xE87D6F,0xFF0000}</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

MinboChung
Engager

A good solution for the issue. Ignore the typo.

0 Karma

bjo
Engager

I have the same problem. Suppose I pass my data through stats into the bar/column chart, e.g. :

stats avg(Duration) as AvgDuration by Method

I expected colors to be applied based on each Method that gets charted out, e.g. "Method1", "Method2", but instead it applies just one color for the field (AvgDuration).

Pie charts work as expected, so it seems like a bug/feature of bar & column charts.

I suspect it's a feature (rather than a bug). Unlike pie charts, which work on a single field, bar charts can work on multiple fields. For example if my stats command was:

stats avg(Duration) as AvgDuration, min(Duration) as MinDuration by Method

My bar chart would have an AvgDuration and MinDuration bar for both "Method1" and "Method2", and it aligns the colors along the field names (AvgDuartion and MinDuration) rather than the series names ("Method1", "Method2").

Is there a way to tell the bar chart to color the series names instead of the field names? Or a way to put the bar chart in single-field mode?

0 Karma

niketn
Legend

@bjo this is not a bug with Splunk. For the first query when you plot AvgDuration your field name is AvgDuration and its values are average for Method1, Method2 etc.

One of the options would be to use transpose.

 <yourSearch>
| stats avg(Duration) as AvgDuration by Method
|  transpose 0 header_field="Method" column_name="Method"

Similarly,

 <yourSearch>
| stats avg(Duration) as AvgDuration, min(Duration) as MinDuration  by Method
| transpose 0 header_field="Method" column_name="Method"

PS: One of recent answers on similar lines: https://answers.splunk.com/answers/689833/how-do-you-customize-colors-in-a-bar-chart.html#answer-689...

Alternatively if you are on Splunk 6.6 or Higher you can also try out the Trellis Visualization Layout which should give more control to Split Charts based on field of your interest and hence will apply color accordingly.

Please try out and confirm and do up-vote it this helps.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

bjo
Engager

Indeed, I agree it is a feature, and I was able to transpose everything to get it to work.

transpose 0 header_field="Method"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...