- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Coloring slices of a pie by the status of the slic...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Coloring slices of a pie by the status of the slice
I am looking for a visualization mechanism to colorize slices of a pie by their status OK (green), Warning (yellow), Major (orange), Critical (red).
All of the pie chart viz examples I have seen are ranked by count of some category, and I want to rank by status. In the example below, I have 4 groups of services, each with a number of service instances providing service up to a maximum number defined for the group. I would like to visually see a group NofM colored by status and not ranked by count.
Any ideas on where to go? The pie chart viz is ruled out per the above (I think). I looked for other visualizations such as the starburst, but it didn't present the way I wanted to.
Example SPL:
| makeresults
| eval dbs = "[{\"entity\":\"I0\",\"instanceCount\":\"0\",\"instanceMax\":\"3\"},{\"entity\":\"I1\",\"instanceCount\":\"1\",\"instanceMax\":\"3\"},{\"entity\":\"I2\",\"instanceCount\":\"2\",\"instanceMax\":\"3\"},{\"entity\":\"I3\",\"instanceCount\":\"3\",\"instanceMax\":\"3\"}]"
| spath input=dbs path={} output=dblist
| mvexpand dblist
| spath input=dblist
| eval pct_avail=round(100*instanceCount/instanceMax,1)
| eval status=case(pct_avail=100, "OK", pct_avail>=50, "Warning", pct_avail>1, "Major", true(), "Critical")
| eval color=case(
status="Critical", "#FF0000",
status="Major", "#D94E17",
status="Warning", "#CBA700",
status="OK", "#118832",
true(), "#1182F3"
)
| stats count by entity
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Followup to previous, the SPL below shows status 'dots' in a chart. I am prepared to use it if I can't find a pie slice coloring that will work for me.
| makeresults
| eval dbs = "[{\"entity\":\"I0\",\"instanceCount\":\"0\",\"instanceMax\":\"3\"},{\"entity\":\"I1\",\"instanceCount\":\"1\",\"instanceMax\":\"3\"},{\"entity\":\"I2\",\"instanceCount\":\"2\",\"instanceMax\":\"3\"},{\"entity\":\"I3\",\"instanceCount\":\"3\",\"instanceMax\":\"3\"}]"
| spath input=dbs path={} output=dblist | mvexpand dblist
| spath input=dblist
| eval pct_avail=round(100*instanceCount/instanceMax,1)
| eval status=case(pct_avail=100, "🟢", pct_avail>=50, "🟡️", pct_avail>1 , "🟠" ,true(), "🔴")
| table _time entity instanceCount instanceMax pct_avail status
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
