Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Coloring slices of a pie by the status of the slice

peiffer
Path Finder
‎09-17-2024 02:19 PM

I am looking for a visualization mechanism to colorize slices of a pie by their status OK (green), Warning (yellow), Major (orange), Critical (red).

All of the pie chart viz examples I have seen are ranked by count of some category, and I want to rank by status.  In the example below, I have 4 groups of services, each with a number of service instances providing service up to a maximum number defined for the group.  I would like to visually see a group NofM colored by status and not ranked by count.

Any ideas on where to go?  The pie chart viz is ruled out per the above (I think).  I looked for other visualizations such as the starburst,  but it didn't present the way I wanted to.

Example SPL:

| makeresults
| eval dbs = "[{\"entity\":\"I0\",\"instanceCount\":\"0\",\"instanceMax\":\"3\"},{\"entity\":\"I1\",\"instanceCount\":\"1\",\"instanceMax\":\"3\"},{\"entity\":\"I2\",\"instanceCount\":\"2\",\"instanceMax\":\"3\"},{\"entity\":\"I3\",\"instanceCount\":\"3\",\"instanceMax\":\"3\"}]"
| spath input=dbs path={} output=dblist
| mvexpand dblist
| spath input=dblist
| eval pct_avail=round(100*instanceCount/instanceMax,1)
| eval status=case(pct_avail=100, "OK", pct_avail>=50, "Warning", pct_avail>1, "Major", true(), "Critical")
| eval color=case(
    status="Critical", "#FF0000",
    status="Major", "#D94E17",
    status="Warning", "#CBA700",
    status="OK", "#118832",
    true(), "#1182F3"
)
| stats count by entity

 

Labels (1)
Labels
0 Karma
Reply

peiffer
Path Finder
‎09-17-2024 02:25 PM

Followup to previous, the SPL below shows status 'dots' in a chart.  I am prepared to use it if I can't find a pie slice coloring that will work for me.

| makeresults 
| eval dbs = "[{\"entity\":\"I0\",\"instanceCount\":\"0\",\"instanceMax\":\"3\"},{\"entity\":\"I1\",\"instanceCount\":\"1\",\"instanceMax\":\"3\"},{\"entity\":\"I2\",\"instanceCount\":\"2\",\"instanceMax\":\"3\"},{\"entity\":\"I3\",\"instanceCount\":\"3\",\"instanceMax\":\"3\"}]"
| spath input=dbs path={} output=dblist | mvexpand dblist
| spath input=dblist
| eval pct_avail=round(100*instanceCount/instanceMax,1)
| eval status=case(pct_avail=100, "🟢", pct_avail>=50, "🟡️", pct_avail>1 , "🟠" ,true(), "🔴")
| table _time entity instanceCount instanceMax pct_avail status
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...