Change color of bar chart based on nested count

discoverneeraj · ‎04-11-2017

I have the following query and it displays bar graph for each Module (finance, marketing) and it's corresponding state (final, terminal, duplicate etc.)

index="dispatcher" host="displogs" Module=proetojt OR nxtransdirect OR sep_cid_coversheet OR previewservice | stats count by Module, finalstate

How to get the bar title as Marketing - Final (currently, it shows the value as Marketing for all states)
How to change the color based on finalstate value (green for Complete, red for terminal and so on)

jkat54 · ‎04-11-2017

index="dispatcher" host="displogs" Module=proetojt OR nxtransdirect OR sep_cid_coversheet OR previewservice|eval Module=Module." - Final" | stats count by Module, finalstate

or maybe you want ...|eval finalstate=finalstate." - Final"|...

charting.fieldColors:

    <option name="charting.fieldColors">
      {"Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
    </option>

jkat54 · ‎04-16-2017

The charting filed color options need to match the possible values of your by clause exactly (case sensitive too). So for example, you have "Proe Complete" as one of the possible values. If you wanted those to be red, you'd replace "TERMINAL" in my example with "Proe Complete".

discoverneeraj · ‎04-24-2017

Sorry for late reply, I was on vacation.

I changed the following in my code:

{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}

However, still all the charts appear in light blue color. I ensured that as per the query, they are exactly matched case sensitive:

index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR

Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",

Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",

Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal",

discoverneeraj · ‎04-24-2017

<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR 

Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete", 

Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete", 

Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate",  Module="proetojt" AND fstate="TERMINAL", "Proe Terminal") | stats count by ModuleANDState</query>

$field1.earliest$
$field1.latest$
1

ellipsisNone
0
visible
visible
visible
linear
log
0
inherit
column
50
10
area
gaps
all
0.01
default
shiny
all
0
0
ellipsisEnd
top
{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}

discoverneeraj · ‎04-24-2017

index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete", Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete", Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal") | stats count by ModuleANDState

    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">log</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
    <option name="charting.legend.placement">top</option>
    <option name="charting.fieldColors">{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}</option>

<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete", Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete", Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate",  Module="proetojt" AND fstate="TERMINAL", "Proe Terminal") | stats count by ModuleANDState</query>

        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">all</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.placement">top</option>
        <option name="charting.fieldColors">{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}</option>

discoverneeraj · ‎04-12-2017

I was able to complete the first part i.e. to get the value of the label changed in the bar chart on the basis of 2 fields.

index="xxx-dispatcher" host="xxx_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR

Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",

Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",

Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND

fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete") | stats count by

ModuleANDState

Thanks Niket and Jkat54 for giving me some idea for this.

Now, the issue remains that bar chart of "Proe Complete" should be green, bar chart of "Proe terminal" should be Red and so on.

jkat54 · ‎04-12-2017

You have to do this in a dashboard to change the colors. Can you post your dashboard code?

discoverneeraj · ‎04-11-2017

I added the above query, however the graphs are still in same color. It does not change the color for TERMINAL fstate (finalstate of a job). Unfortunately, it does not let me add attachment (asking for Karma Point)

index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval fstate=fstate." - TERMINAL" | stats count by Module, fstate

        {"Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
      </option>

jkat54 · ‎04-12-2017

Paste your dashboard code please

discoverneeraj · ‎04-16-2017

Dispatcher_Modules
Dispatcher Modules

<input type="time" token="field1">
  <label></label>
</input>


<panel>
  <title>ORL Dispatcher</title>
  <chart>
    <search>
      <query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete", Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete", Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate",  Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete", Module="nxtransdirect" AND fstate="DUPLICATE", "NX Duplicate",  Module="nxtransdirect" AND fstate="TERMINAL", "NX Terminal") | stats count by ModuleANDState

      <earliest>$field1.earliest$</earliest>
      <latest>$field1.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
           <option name="charting.fieldColors">
       {"Coversheet Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
     </option>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">log</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">all</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
    <option name="charting.legend.placement">top</option>
  </chart>
</panel>

discoverneeraj · ‎04-16-2017

Dispatcher_Modules
Dispatcher Modules

<input type="time" token="field1">
  <label></label>
</input>


<panel>
  <title>ORL Dispatcher</title>
  <chart>
    <search>
      <query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR

Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",

Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",

Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND

fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete",

Module="nxtransdirect" AND fstate="DUPLICATE", "NX Duplicate", Module="nxtransdirect" AND fstate="TERMINAL",

"NX Terminal") | stats count by

ModuleANDState
$field1.earliest$
$field1.latest$
1

{"Coversheet Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}

ellipsisNone
0
visible
visible
visible
linear
log
0
inherit
column
50
10
area
gaps
all
0.01
default
shiny
all
0
0
ellipsisEnd
top

niketn · ‎04-11-2017

Update: Converted to answer to add screenshot with a run anywhere example.

I see that you are trying to use two fields in the stats by clause. You need to make sure that field names match exactly when you use fieldColors otherwise it will not work. You can consider using chart command and plot one field on x axis using over command and another field's value in the y axis using by clause.

Refer to following two run anywhere examples:

Scenario 1
When I calculate statistics using split by log_level , I know that there are only limited field values that can be present (I have purposely removed log_level=INFO from my base search). This is an ideal scenario for using charting.fieldColors, since the Series names are limited and I am aware of the series names upfront. Also notice that series names for fieldColors are exactly the same as the series being plotted in the chart.

<option name="charting.fieldColors">{"WARN": 0xffff00, "ERROR": 0xff0000, "FATAL": 0x000000}</option>

Scenario 1
When I use chart over log_level by component, I am not aware of the names of the series that would be calculated because there are so many components (refer to legend on right side of the chart). If we dont know the name but know that there might be only n number of maximum series being plotted we can use charting.seriesColors instead. In this case I have defined eight series colors

<option name="charting.seriesColors">[0xffff00,0xff0000,0x000000,0x0000ff,0x00ff00,0x00ffff,0xaaff00,0xffaa00]</option>

  <row>
    <panel>
      <title>Chart fieldColors example</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| chart count over component by log_level</query>
          <earliest>@w0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.fieldColors">{"WARN": 0xffff00, "ERROR": 0xff0000, "FATAL": 0x000000}</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Chart seriesColors example</title>
      <chart>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!=INFO
| chart count over log_level by component</query>
          <earliest>@w0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.seriesColors">[0xffff00,0xff0000,0x000000,0x0000ff,0x00ff00,0x00ffff,0xaaff00,0xffaa00]</option>
      </chart>
    </panel>
  </row>

Please see which scenario fits your needs and let us know how it goes. The code here uses Splunk's internal index, so practically you should be able to test it anywhere, provided you have access to query the _internal index.

@discoverneeraj... Can you add sample screenshot or mock output? You can print table using 1010101 button while posting.

colors you can control by charting.fieldColors (if your field names are static) or charting.seriesColors (if your field sequence is static) based on your use case. Refer to the following documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pro...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

discoverneeraj · ‎04-12-2017

Dispatcher_Modules
Dispatcher Modules

<input type="time" token="field1">
  <label></label>
</input>


<panel>
  <title>ORL Dispatcher</title>
  <chart>
    <search>
      <query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR

Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",

Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",

Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND

fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete",

Module="nxtransdirect" AND fstate="DUPLICATE", "NX Duplicate", Module="nxtransdirect" AND fstate="TERMINAL",

"NX Terminal", Module="sep_cid_coversheet" AND fstate="COMPLETE", "Coversheet Complete",

Module="sep_cid_coversheet" AND fstate="CANCELLED", "Coversheet Cancelled", Module="sep_cid_coversheet" AND

fstate="DELETE", "Coversheet Delete", Module="sep_cid_coversheet" AND fstate="DUPLICATE", "Coversheet Duplicate",

Module="sep_cid_coversheet" AND fstate="TERMINAL", "Coversheet Terminal", Module="previewservice" AND fstate="COMPLETE",

"Preview Complete", Module="previewservice" AND fstate="CANCELLED", "Preview Cancelled",

Module="previewservice" AND fstate="DELETE", "Preview Delete", Module="previewservice" AND fstate="DUPLICATE",

"Preview Duplicate", Module="previewservice" AND fstate="TERMINAL", "Preview Terminal",

Module="asyncservice" AND fstate="COMPLETE", "Async Complete", Module="asyncservice" AND fstate="CANCELLED",

"Async Cancelled", Module="asyncservice" AND fstate="DELETE", "Async Delete", Module="asyncservice" AND

fstate="DUPLICATE", "Async Duplicate", Module="asyncservice" AND fstate="TERMINAL", "Async Terminal",Module="contmgmtpublish" AND fstate="COMPLETE", "ContMgmt Complete", Module="contmgmtpublish" AND

fstate="CANCELLED", "ContMgmt Cancelled", Module="contmgmtpublish" AND fstate="DELETE", "ContMgmt Delete",

Module="contmgmtpublish" AND fstate="DUPLICATE", "ContMgmt Duplicate", Module="contmgmtpublish" AND fstate="TERMINAL",

"ContMgmt Terminal",Module="frmstransfer" AND fstate="COMPLETE", "FRMS Complete", Module="frmstransfer" AND

fstate="CANCELLED", "FRMS Cancelled", Module="frmstransfer" AND fstate="DELETE", "FRMS Delete", Module="frmstransfer" AND

fstate="DUPLICATE", "FRMS Duplicate", Module="frmstransfer" AND fstate="TERMINAL", "FRMS Terminal") | stats count by

ModuleANDState
$field1.earliest$
$field1.latest$
1

{"Coversheet Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}

ellipsisNone
0
visible
visible
visible
linear
log
0
inherit
column
50
10
area
gaps
all
0.01
default
shiny
all
0
0
ellipsisEnd
top

<panel>
  <title>MLH Dispatcher</title>
  <chart>
    <search>
      <query>index="tcpr-dispatcher" host="mlh_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR