I have a column chart showing event counts based on host name from two different indexes:
index="main" OR index="wineventlog" | stats count by host
What I would like to achieve is to be able to show the hosts from the main index in one color and the hosts from wineventlog index as a different color.
I've used something like:
(index="main" OR index="wineventlog")
| chart count as total by host,index
| eval redCount = if(index=="main",total, 0)
| eval greenCount = if(index=="wineventlog", total, 0)
| fields host redCount greenCount
However all hosts were returned with a 0 value.
Any suggestions greatly appreciated.
After reviewing the various reposes (thank you all for contributing) and combing various aspects, I have been able to come up with the solution I was after.
(index="main" OR index="wineventlog")
| stats count as total by host,index
| eval host=lower(host)
| sort host
| eval Linux = if(index=="main",total, 0)
| eval Windows = if(index=="wineventlog", total, 0)
| fields host Linux Windows
This results in a column chart and when altering the formatting to be a stacked column chart and setting the colours
<option name="charting.seriesColors">[0xC53151,0x0066FF]</option>
I have the chart I was after showing the number of events per host with linux hosts in red and windows in blue.
Again, thank you for your contributions.
After reviewing the various reposes (thank you all for contributing) and combing various aspects, I have been able to come up with the solution I was after.
(index="main" OR index="wineventlog")
| stats count as total by host,index
| eval host=lower(host)
| sort host
| eval Linux = if(index=="main",total, 0)
| eval Windows = if(index=="wineventlog", total, 0)
| fields host Linux Windows
This results in a column chart and when altering the formatting to be a stacked column chart and setting the colours
<option name="charting.seriesColors">[0xC53151,0x0066FF]</option>
I have the chart I was after showing the number of events per host with linux hosts in red and windows in blue.
Again, thank you for your contributions.
Hi Balcv,
I used index="_internal" since i haven't index="main" on my Splunk environment and just rename it to "index=main". Basically to answer your question, you can manually assign whatever color you want depending on the field name in your search. To do that you need to add new option name parameters for "charting.fieldColors" on your XML Dashboard.
<option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>
Hex color values:
FF0000 = Red
008000= Green
Below is the search string i used.
index="_internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE_internal" AS "main"
Try this full XML Code below so you can see and test it..
<dashboard>
<label>Column Chart (Manual change color depending on the field name on XML)</label>
<row>
<panel>
<chart>
<search>
<query>index="_internal" OR index="wineventlog"
| chart count AS total BY host, index
| rename "VALUE_internal" AS "main"</query>
<earliest>-5m@m</earliest>
<latest>now</latest>
</search>
<option name="charting.axisY.scale">log</option>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">none</option>
<option name="charting.fieldColors">{"wineventlog":0xFF0000, "main":0x008000}</option>
<option name="charting.legend.placement">top</option>
</chart>
</panel>
</row>
</dashboard>
Kelz
Hi balcv,
try something like this
(index="main" OR index="wineventlog")
| stats count(eval(if(index=main,1,0))) AS redCount count(eval(if(index=wineventlog))) AS greeCount BY host
| table host redCount greenCount
Bye.
Giuseppe
Thanks @gcusello. Unfortunatley this produced errors in the stats statement telling me the eval statement is invalid. Thanks anyway.
We can use table formatting of colors.
https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/TableFormatsFormatting
Please check if this helps.
Regards,
Santosh
Will do. Thanks.