Splunk Search

Chart colors by search values

balcv
Contributor

I have a column chart showing event counts based on host name from two different indexes:

index="main" OR index="wineventlog" | stats count by host

What I would like to achieve is to be able to show the hosts from the main index in one color and the hosts from wineventlog index as a different color.

I've used something like:

  (index="main" OR index="wineventlog") 
 | chart count as total by host,index
 | eval redCount = if(index=="main",total, 0) 
 | eval greenCount = if(index=="wineventlog", total, 0) 
 | fields host redCount greenCount

However all hosts were returned with a 0 value.

Any suggestions greatly appreciated.

0 Karma
1 Solution

balcv
Contributor

After reviewing the various reposes (thank you all for contributing) and combing various aspects, I have been able to come up with the solution I was after.

 (index="main" OR index="wineventlog") 
    | stats count as total by host,index 
    | eval host=lower(host) 
    | sort host 
    | eval Linux = if(index=="main",total, 0) 
    | eval Windows = if(index=="wineventlog", total, 0) 
    | fields host Linux Windows

This results in a column chart and when altering the formatting to be a stacked column chart and setting the colours

<option name="charting.seriesColors">[0xC53151,0x0066FF]</option>

I have the chart I was after showing the number of events per host with linux hosts in red and windows in blue.

Again, thank you for your contributions.

View solution in original post

0 Karma

balcv
Contributor

After reviewing the various reposes (thank you all for contributing) and combing various aspects, I have been able to come up with the solution I was after.

 (index="main" OR index="wineventlog") 
    | stats count as total by host,index 
    | eval host=lower(host) 
    | sort host 
    | eval Linux = if(index=="main",total, 0) 
    | eval Windows = if(index=="wineventlog", total, 0) 
    | fields host Linux Windows

This results in a column chart and when altering the formatting to be a stacked column chart and setting the colours

<option name="charting.seriesColors">[0xC53151,0x0066FF]</option>

I have the chart I was after showing the number of events per host with linux hosts in red and windows in blue.

Again, thank you for your contributions.

0 Karma

kelz
Explorer

Hi Balcv,

I used index="_internal" since i haven't index="main" on my Splunk environment and just rename it to "index=main". Basically to answer your question, you can manually assign whatever color you want depending on the field name in your search. To do that you need to add new option name parameters for "charting.fieldColors" on your XML Dashboard.

<option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>

Hex color values:
FF0000 = Red
008000= Green

Below is the search string i used.

index="_internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE_internal" AS "main"

Try this full XML Code below so you can see and test it..

<dashboard>
  <label>Column Chart (Manual change color depending on the field name on XML)</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE_internal" AS "main"</query>
          <earliest>-5m@m</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>
        <option name="charting.legend.placement">top</option>
      </chart>
    </panel>
  </row>
</dashboard>

Let me know if this answer your question. Thanks

Kelz

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi balcv,
try something like this

 (index="main" OR index="wineventlog") 
| stats count(eval(if(index=main,1,0))) AS redCount count(eval(if(index=wineventlog))) AS greeCount BY host
| table host redCount greenCount

Bye.
Giuseppe

0 Karma

balcv
Contributor

Thanks @gcusello. Unfortunatley this produced errors in the stats statement telling me the eval statement is invalid. Thanks anyway.

0 Karma

santosh11
New Member

We can use table formatting of colors.

https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/TableFormatsFormatting

Please check if this helps.

Regards,
Santosh

0 Karma

balcv
Contributor

Will do. Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...