- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use eval for setting up different color bar...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use eval for setting up different color bars?
Hi,
I have created a dashboard panel which lists out top actions taken by a Palo Alto firewall. The Action field takes values - pass, reject, drop & allow. I want to use different colors for the different bars. Below mentioned is the XML code which I am using, which is not returning the results I am expecting. Please help me rewrite the eval function.
<dashboard>
<label>Palo Alto Firewall Action Summary</label>
<row>
<panel>
<chart>
<title>Action Summary</title>
<searchString>source="PaloAlto.csv"| top limit=20 Action
| eval redCount=searchmatch("reject")
| eval yellowCount=searchmatch("pass")
| eval greenCount=searchmatch("allow")
| eval orangeCount=searchmatch("drop")
</searchString>
<earliestTime>0</earliestTime>
<latestTime/>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="charting.fieldColors">{"redCount":0xFF0000,"yellowCount":0xFFFF00,"greenCount":0x73A550,"orangeCount":0xFF6600}</option>
</chart>
</panel>
</row>
</dashboard>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I tryed to see what you have done and i saw certain errors in your code.
- Error in eval command : eval redCount=searchmatch("reject") is not good. Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]), or case(x,"y")...
- Since you are using the searchmatch() function to match strings in your events, |top limit=20 Action is not good. After retrieving events, you should directly match your term before any transforming command.
- I did not see any transforming command to build your chart in your code. Since you want to use different colors for the different bars, after eval, you should use any transforming command, like chart, timechart, stats, top, eventstats..... to build your chart.
See bellow, your same code updated, and i think it should help you understand what to do. just test it, i hope it is working properly.
Here my group field takes values-pipeline and deploy-server. i will use red color for pipeline values and yellow color for deploy values.
<dashboard>
<label>Color bars with Eval</label>
<row>
<panel>
<chart>
<searchString>index=_internal group=* |eval redCount=case(searchmatch("pipeline"),"y")|eval yellowCount=case(searchmatch("deploy-server"),"x")|stats count(redCount) AS redCount, count(yellowCount) AS yellowCount by group</searchString>
<earliestTime>0</earliestTime>
<latestTime/>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="charting.fieldColors">{"redCount":0xFF0000,"yellowCount":0xFFFF00}</option>
</chart>
</panel>
</row>
</dashboard>
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
