Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change column colors in a chart based on a duration value?

briangmadden
Explorer
‎09-01-2014 01:06 AM

I have a search that compares values in two files and comes up with duration it took to process a job.

index=abc sourcetype=abc source=PRD | eval otime=strptime(pub_date,"%Y-%m-%d %H:%M:%S") | join jobid [search index=abc sourcetype=abc_response source=PRD | eval "Response_Status"=status | eval rtime=strptime(comp_date,"%Y-%m-%d %H:%M:%S")] | eval d=rtime-otime | eval Duration=d/60 |table jobid,Duration,| reverse

Jobid is individual and will only appear once. The output is then graphed in dashboard. At the moment all columns in graph are blue. I need the columns to be either green or red depending if duration is greater or less than 15. It should be green if duration < 15 and red if duration > 15

Tried adding additional eval but it throws error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). None of these seem to work for me.

index=abc sourcetype=abc source=PRD | eval otime=strptime(pub_date,"%Y-%m-%d %H:%M:%S") | join jobid [search index=abc sourcetype=abc_response source=PRD | eval "Response_Status"=status | eval rtime=strptime(comp_date,"%Y-%m-%d %H:%M:%S")] | eval d=rtime-otime | eval Duration=d/60 |eval urgent = duration > (15*60) |table jobid,Duration,| reverse

Any help much appreciated.

0 Karma
Reply

schatzb
Explorer
‎09-03-2014 10:35 AM

You can split the counts into two different variables and then display them as a stacked bar chart. 

    | eval red=Case(count<15,count,count>=15,0) 
    | eval green=Case(count>=15,count,count<15,0)
    | table job_id, red, green

your data will look similar to this

Case|   Count|  Red|    Green|
1       8       8       0
2       1       1       0
3       11      11      0
4       55      0       55
5       44      0       44
6       233     0       233
7       48      0       48
8       10      10      0

Then create a bar chart with both Red and Green and use the charting.fieldColors setting in the XML to designate the colors of each variable

<option name="charting.fieldColors">{"Red":0xFF0000,"Green":0x00FF00}</option>
Reply

gpalla91
New Member
‎09-01-2014 12:31 PM

Have you tried creating your search in a Pivot, this will easily allow you to configure your graph via different color for different durations.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...