Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create 2 different chart overlays and change the colour of each chart in Splunk 6.6.2

kornelias
New Member
‎10-22-2018 07:20 AM

Hi all,
I'm pretty new to Splunk and a very novice at these things, so please excuse any mistakes on my part.
Just to get straight to the point: I'm using Splunk 6.6.2 as well as a dashboard created by my predecessor. One panel on this dashboard displays an area chart with 2 charts overlaid. The overlaid charts are shown as line charts. As such, this is already pretty cool, but we'd like to change the view of it slightly. One overlay can remain as line chart, but the other overlay we'd prefer to show as time stamps. Is this somehow possible?
I know there are certain limitations due to me being restricted to Splunk 6.6.2, but I'd like to think it is possible anyway. Annotations and Status Indicators are a no-go for me at this point. I do not think MV expand is applicable either. I have dabbled with Show markers, which works but counts for both overlays instead of just one and does not get rid of the lines, and I've tried Showlines, which works on the original area chart, but does not affect the overlays. I don't think sub searches work for this version of Splunk either. And adjusting the format of the overall chart does not meet the desired visual effect. I was also told I might be able to change the chart type for the overlaid charts from a line chart to a scatter chart. but was not told how, nor have I found any information about this. It seems that an overlay will always be a line chart regardless, yes?
Additionally, I'd also like to change the colours of each chart displayed. I have tried using fieldColors and searched for the hexagon colour codes I wanted to use, but adding this option to my code seems to have no effect at all. seriesColor seems to not be available for this version of Splunk.
Would anybody have any suggestions for me?
As reference, here's the dashboard I'm trying to change:

    <search>
      <query>index=p-iot-indego StatusUpdater OR TriggerAlertSender $mower_serial$ | eval state = case(state==514, 140, state==64513, 1400, 1==1, state) | chart values(mown) values(state) values(new) by _time </query>
      <earliest>$Time.earliest$</earliest>
      <latest>$Time.latest$</latest>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisLabelsX.majorLabelVisibility">hide</option>
    <option name="charting.axisLabelsY.majorUnit">25</option>
    <option name="charting.axisLabelsY2.majorUnit">250</option>
    <option name="charting.axisTitleX.text">Time</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.text">Mown %</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.text">States and Errors</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.maximumNumber">100</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">1</option>
    <option name="charting.axisY2.maximumNumber">1600</option>
    <option name="charting.axisY2.minimumNumber">0</option>
    <option name="charting.axisY2.scale">linear</option>
    <option name="charting.chart">area</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.markerSize">1</option>
    <option name="charting.chart.nullValueMode">connect</option>
    <option name="charting.chart.overlayFields">values(state), values(new)</option>
    <option name="charting.chart.showDataLabels">all</option>
    <option name="charting.chart.showLines">1</option>
    <option name="charting.chart.showMarkers">0</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>
   (here I tried inserting <option name="charting.fieldColors">{"mown":0xd9f2d9,"state":0xffcc00,"new":0xff0000}</option>)
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">bottom</option>
    <option name="charting.lineDashStyle">solid</option>
    <option name="height">536</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <option name="trellis.splitBy">_aggregation</option>
  </chart>
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...