The original query: host="MEIPC" source="WinEventLog:Application" OR source="WinEventLog:Security" OR source="WinEventLog:System" |chart count by source
A could be solution I could not get to work:
| top limit=10 class showperc=f countfield="source"
| reverse
| transpose header_field="Class" column_name="Class"
| search class="source"
So I tried searching all over to change the color of the bars of each of 3 sources I gathered data from. I put it in the dashboard and I noticed that it groups it all under an encompassing source, without an individual option for each source. This is labeled under the X axis. However, when I try to change the color of the bars, only changing the color of count which is the Y axis changes the color of the bars. This confuses me because I would think that I can simply change the color options in the menus of dashboard for each individual X axis source but instead its the Y axis count that changes the color of the bars, and there is no option to change the coloration to the X axis source. What also confuses me, is when I look at statistics, there are 3 sources to gather the data from. Please leave a comment if you have the time, thank you so much Splunk Community!
... View more