Solved: how to show different colors for each bar in bar c...

ramki1459 · ‎06-07-2018

|query
| stats count by app_status| eventstats sum(count) as totalCount 
| eval percentage=round((count/totalCount)*100,3)
| fields - count totalCount
| chart max(percentage) by app_status

i want to show results in bar chart. with above query i am able to see the bar chart, but all bars have same color. is there way to show different colors for each bar? thanks in advance

niketn · ‎06-08-2018

@ramki1459, try the following search.

<yourBaseSearch>
| top 0 app_status showcount=f
| transpose 0 header_field="app_status" column_name="app_status" 
| search component!="_*" 
| chart max(percentage) by app_status

PS: I have used limit=0 to show maximum allowed fields. However, you can use specific number if you know what could be the upper limit for unique app_status field values. The following run anywhere example based on Splunk's _internal index shows only 5 of all the components.

index=_internal sourcetype=splunkd log_level!="INFO" component!="Metrics" OR component!="PeriodicHealthChecker" 
| top 5 component showcount=f 
| transpose 5 header_field="component" column_name="component" 
| search component!="_*"

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎06-08-2018

@ramki1459, try the following search.

<yourBaseSearch>
| top 0 app_status showcount=f
| transpose 0 header_field="app_status" column_name="app_status" 
| search component!="_*" 
| chart max(percentage) by app_status

PS: I have used limit=0 to show maximum allowed fields. However, you can use specific number if you know what could be the upper limit for unique app_status field values. The following run anywhere example based on Splunk's _internal index shows only 5 of all the components.

index=_internal sourcetype=splunkd log_level!="INFO" component!="Metrics" OR component!="PeriodicHealthChecker" 
| top 5 component showcount=f 
| transpose 5 header_field="component" column_name="component" 
| search component!="_*"

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Nadhiyaa · ‎04-14-2019

@niketnilay When i try the bars are not in the descendingly sorted . How to fix that

niketn · ‎04-14-2019

@Nadhiyaa what is the query you are using. The top command in the above example applies reverse sorting based on volume for a field. So this is supposed to work. Did you try out the run anywhere example based on Splunk's _internal index?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Nadhiyaa · ‎04-18-2019

@niketnilay yes the color changes but the visualization doesn't look from top to bottom .

niketn · ‎04-18-2019

For me a Column or Bar chart works fine not sure which visualization you are using and what is your query. I have changed the query to stats to see if this is what you are using.

index=_internal sourcetype=splunkd
| stats count by log_level 
| eventstats sum(count) as totalCount 
| eval percentage=round((count/totalCount)*100,3) 
| fields - count totalCount 
| chart max(percentage) as "Percentage (max)" by log_level
| sort 0 - "Percentage (max)"
| transpose 0 header_field=log_level column_name=log_level

If this does not work kindly post the query you are using as a new question!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ramki1459 · ‎06-08-2018

thank you so much. it worked 🙂

somesoni2 · ‎06-07-2018

Give this a try

|query
 | stats count by app_status| eventstats sum(count) as totalCount 
 | eval percentage=round((count/totalCount)*100,3)
 | fields - count totalCount | eval temp=app_status
 | chart max(percentage) by t app_status temp

how to show different colors for each bar in bar chart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!