Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to keep consistent pie chart colors that are assigned to variable labels in simple XML?

kkuderko
Explorer
‎10-30-2014 03:44 PM

Hi,
in simple XML I've got a search:

* "OK" OR "WARNING" OR "DOWN" OR "UNKNOWN" OR "TESTING" | rex "(?(DOWN|OK|WARNING|UNKNOWN|TESTING))" | chart count by printer_status

and assigned pie colours like:

{DOWN:0xff5050,OK:0x5cad5c,WARNING:0xffcc33,UNKNOWN:0x909090,TESTING:0x909090}

which is great.
Then I added values at the end of the labels (valid solution found on forums) by amending to:

* "OK" OR "WARNING" OR "DOWN" OR "UNKNOWN" OR "TESTING" | rex "(?(DOWN|OK|WARNING|UNKNOWN|TESTING))" | chart count by printer_status | eval foobar_slice = printer_status + " (" + count + ")" | fields foobar_slice, count

which is brilliant but it brings pie colours to defaults as the label is no longer "OK" but for example "OK (5)"

How can I keep consistent colours for labels that vary?

seriesColors property is out of the question because not always all printer_status is present.
I assume this can be achieved similar to when enabling showPercent to true which shows nicely precentage at the end of the label. But in my case I wanted to show count of the printer_status and not the precentage.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-30-2014 04:22 PM

I think the easiest way to achieve this is to use seriesColors and to make all the status appear all the time, even with a count of zero.

...  | chart count by printer_status | append [stats count | eval printer_status="DOWN OK WARNING UNKNOWN TESTING" | makemv printer_status | mvexpand printer_status] | chart max(count) as count by printer_status | eval ...

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-30-2014 04:22 PM

I think the easiest way to achieve this is to use seriesColors and to make all the status appear all the time, even with a count of zero.

...  | chart count by printer_status | append [stats count | eval printer_status="DOWN OK WARNING UNKNOWN TESTING" | makemv printer_status | mvexpand printer_status] | chart max(count) as count by printer_status | eval ...
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-31-2014 05:26 AM

I'm cool with that, marked it already.

Real time does cause some weirdness in some situations, yeah. If you're refreshing anyway then the value is small, and you can even set individual panels to refresh independently of the page.

0 Karma
Reply
Solved! Jump to solution

kkuderko
Explorer
‎10-31-2014 04:29 AM

I just discovered something! Charts look OK when is not in real time.

rt-2m: https://flic.kr/p/pAzgNB

-120s: https://flic.kr/p/oWd7VH

So, I could live with that and have the chart to not be in real time ('cause I'm refreshing the whole dashboard page every 2mins anyway) and I'm happy to accept your solution. Are you cool with that?

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-31-2014 03:57 AM

My zero field is called count, its value is the number 0 - you can see that in the overlay. The id="-" thing is just to create this dummy data.

Could you post the table that's underneath the pie chart?

0 Karma
Reply
Solved! Jump to solution

kkuderko
Explorer
‎10-31-2014 03:42 AM

it is alfabetical indeed. So I rearranged it to https://flic.kr/p/pT4HQj and I think if the TESTING appeared as 0 that would solve my problem. Is it because there is no event TESTING at all in my index while you at least assigned a "-" value to it?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-31-2014 03:01 AM

The order likely is alphabetic in chart... you can reshuffle that if you define an order field based on your status field, sort by that, and remove the order field again.

Bugger about TESTING not appearing. Seems to work on my end, it's assigned a colour as well:

alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

kkuderko
Explorer
‎10-31-2014 02:53 AM

Cheers Martin, it's close but still not quite right as I have now (clockwise): DOWN (1) - red, OK (6) - green, UNKNOWN (1) - yellow, WARNING (14) - grey. So not in correct order 'cause I'd like a WARNING to be yellow and TESTING doesnt appear with 0. I'd post the screenshot but can't paste it here yet. Maybe here
https://flic.kr/p/pQNMsW

my full query is now
* "DOWN" OR "OK" OR "WARNING" OR "UNKNOWN" OR "TESTING" | rex "(?<printer_status>(DOWN|OK|WARNING|UNKNOWN|TESTING))" | chart count by printer_status | append [stats count | eval printer_status="DOWN OK WARNING UNKNOWN TESTING" | makemv printer_status | mvexpand printer_status] | chart max(count) as count by printer_status | eval foobar_slice = printer_status + " (" + count + ")" | fields foobar_slice, count

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...