I have the following query and it displays bar graph for each Module (finance, marketing) and it's corresponding state (final, terminal, duplicate etc.)
index="dispatcher" host="displogs" Module=proetojt OR nxtransdirect OR sep_cid_coversheet OR previewservice | stats count by Module, finalstate
index="dispatcher" host="displogs" Module=proetojt OR nxtransdirect OR sep_cid_coversheet OR previewservice|eval Module=Module." - Final" | stats count by Module, finalstate
or maybe you want ...|eval finalstate=finalstate." - Final"|...
charting.fieldColors:
<option name="charting.fieldColors">
{"Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
</option>
The charting filed color options need to match the possible values of your by clause exactly (case sensitive too). So for example, you have "Proe Complete" as one of the possible values. If you wanted those to be red, you'd replace "TERMINAL" in my example with "Proe Complete".
Sorry for late reply, I was on vacation.
I changed the following in my code:
{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}
However, still all the charts appear in light blue color. I ensured that as per the query, they are exactly matched case sensitive:
index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR
Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",
Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",
Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal",
<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR
Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",
Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",
Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal") | stats count by ModuleANDState</query>
$field1.earliest$
ellipsisNone
0
visible
visible
visible
linear
log
0
inherit
column
50
10
area
gaps
all
0.01
default
shiny
all
0
0
ellipsisEnd
top
{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}
index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete", Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete", Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal") | stats count by ModuleANDState
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.placement">top</option>
<option name="charting.fieldColors">{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}</option>
<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete", Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete", Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal") | stats count by ModuleANDState</query>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.placement">top</option>
<option name="charting.fieldColors">{"Proe Complete": 0xffff00, "Proe Terminal": 0xff0000, "FATAL": 0x000000}</option>
I was able to complete the first part i.e. to get the value of the label changed in the bar chart on the basis of 2 fields.
index="xxx-dispatcher" host="xxx_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR
Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",
Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",
Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND
fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete") | stats count by
ModuleANDState
Thanks Niket and Jkat54 for giving me some idea for this.
Now, the issue remains that bar chart of "Proe Complete" should be green, bar chart of "Proe terminal" should be Red and so on.
You have to do this in a dashboard to change the colors. Can you post your dashboard code?
I added the above query, however the graphs are still in same color. It does not change the color for TERMINAL fstate (finalstate of a job). Unfortunately, it does not let me add attachment (asking for Karma Point)
index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval fstate=fstate." - TERMINAL" | stats count by Module, fstate
{"Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
</option>
Paste your dashboard code please
Dispatcher_Modules
Dispatcher Modules
<input type="time" token="field1">
<label></label>
</input>
<panel>
<title>ORL Dispatcher</title>
<chart>
<search>
<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete", Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete", Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete", Module="nxtransdirect" AND fstate="DUPLICATE", "NX Duplicate", Module="nxtransdirect" AND fstate="TERMINAL", "NX Terminal") | stats count by ModuleANDState
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.fieldColors">
{"Coversheet Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.placement">top</option>
</chart>
</panel>
Dispatcher_Modules
Dispatcher Modules
<input type="time" token="field1">
<label></label>
</input>
<panel>
<title>ORL Dispatcher</title>
<chart>
<search>
<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR
Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",
Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",
Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND
fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete",
Module="nxtransdirect" AND fstate="DUPLICATE", "NX Duplicate", Module="nxtransdirect" AND fstate="TERMINAL",
"NX Terminal") | stats count by
ModuleANDState
{"Coversheet Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
ellipsisNone
0
visible
visible
visible
linear
log
0
inherit
column
50
10
area
gaps
all
0.01
default
shiny
all
0
0
ellipsisEnd
top
Update: Converted to answer to add screenshot with a run anywhere example.
I see that you are trying to use two fields in the stats by clause. You need to make sure that field names match exactly when you use fieldColors otherwise it will not work. You can consider using chart command and plot one field on x axis using over command and another field's value in the y axis using by clause.
Refer to following two run anywhere examples:
Scenario 1
When I calculate statistics using split by log_level , I know that there are only limited field values that can be present (I have purposely removed log_level=INFO from my base search). This is an ideal scenario for using charting.fieldColors, since the Series names are limited and I am aware of the series names upfront. Also notice that series names for fieldColors are exactly the same as the series being plotted in the chart.
<option name="charting.fieldColors">{"WARN": 0xffff00, "ERROR": 0xff0000, "FATAL": 0x000000}</option>
Scenario 1
When I use chart over log_level by component, I am not aware of the names of the series that would be calculated because there are so many components (refer to legend on right side of the chart). If we dont know the name but know that there might be only n number of maximum series being plotted we can use charting.seriesColors instead. In this case I have defined eight series colors
<option name="charting.seriesColors">[0xffff00,0xff0000,0x000000,0x0000ff,0x00ff00,0x00ffff,0xaaff00,0xffaa00]</option>
<row>
<panel>
<title>Chart fieldColors example</title>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| chart count over component by log_level</query>
<earliest>@w0</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"WARN": 0xffff00, "ERROR": 0xff0000, "FATAL": 0x000000}</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Chart seriesColors example</title>
<chart>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| chart count over log_level by component</query>
<earliest>@w0</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.seriesColors">[0xffff00,0xff0000,0x000000,0x0000ff,0x00ff00,0x00ffff,0xaaff00,0xffaa00]</option>
</chart>
</panel>
</row>
Please see which scenario fits your needs and let us know how it goes. The code here uses Splunk's internal index, so practically you should be able to test it anywhere, provided you have access to query the _internal index.
@discoverneeraj... Can you add sample screenshot or mock output? You can print table using 1010101 button while posting.
colors you can control by charting.fieldColors (if your field names are static) or charting.seriesColors (if your field sequence is static) based on your use case. Refer to the following documentation: http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference#General_chart_pro...
Dispatcher_Modules
Dispatcher Modules
<input type="time" token="field1">
<label></label>
</input>
<panel>
<title>ORL Dispatcher</title>
<chart>
<search>
<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR
Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",
Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",
Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND
fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete",
Module="nxtransdirect" AND fstate="DUPLICATE", "NX Duplicate", Module="nxtransdirect" AND fstate="TERMINAL",
"NX Terminal", Module="sep_cid_coversheet" AND fstate="COMPLETE", "Coversheet Complete",
Module="sep_cid_coversheet" AND fstate="CANCELLED", "Coversheet Cancelled", Module="sep_cid_coversheet" AND
fstate="DELETE", "Coversheet Delete", Module="sep_cid_coversheet" AND fstate="DUPLICATE", "Coversheet Duplicate",
Module="sep_cid_coversheet" AND fstate="TERMINAL", "Coversheet Terminal", Module="previewservice" AND fstate="COMPLETE",
"Preview Complete", Module="previewservice" AND fstate="CANCELLED", "Preview Cancelled",
Module="previewservice" AND fstate="DELETE", "Preview Delete", Module="previewservice" AND fstate="DUPLICATE",
"Preview Duplicate", Module="previewservice" AND fstate="TERMINAL", "Preview Terminal",
Module="asyncservice" AND fstate="COMPLETE", "Async Complete", Module="asyncservice" AND fstate="CANCELLED",
"Async Cancelled", Module="asyncservice" AND fstate="DELETE", "Async Delete", Module="asyncservice" AND
fstate="DUPLICATE", "Async Duplicate", Module="asyncservice" AND fstate="TERMINAL", "Async Terminal",Module="contmgmtpublish" AND fstate="COMPLETE", "ContMgmt Complete", Module="contmgmtpublish" AND
fstate="CANCELLED", "ContMgmt Cancelled", Module="contmgmtpublish" AND fstate="DELETE", "ContMgmt Delete",
Module="contmgmtpublish" AND fstate="DUPLICATE", "ContMgmt Duplicate", Module="contmgmtpublish" AND fstate="TERMINAL",
"ContMgmt Terminal",Module="frmstransfer" AND fstate="COMPLETE", "FRMS Complete", Module="frmstransfer" AND
fstate="CANCELLED", "FRMS Cancelled", Module="frmstransfer" AND fstate="DELETE", "FRMS Delete", Module="frmstransfer" AND
fstate="DUPLICATE", "FRMS Duplicate", Module="frmstransfer" AND fstate="TERMINAL", "FRMS Terminal") | stats count by
ModuleANDState
{"Coversheet Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
ellipsisNone
0
visible
visible
visible
linear
log
0
inherit
column
50
10
area
gaps
all
0.01
default
shiny
all
0
0
ellipsisEnd
top
<panel>
<title>MLH Dispatcher</title>
<chart>
<search>
<query>index="tcpr-dispatcher" host="mlh_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR
Module=previewservice | eval ModuleANDState = case(Module="proetojt" AND fstate="COMPLETE", "Proe Complete",
Module="proetojt" AND fstate="CANCELLED", "Proe Cancelled", Module="proetojt" AND fstate="DELETE", "Proe Delete",
Module="proetojt" AND fstate="DUPLICATE", "Proe Duplicate", Module="proetojt" AND fstate="TERMINAL", "Proe Terminal", Module="nxtransdirect" AND fstate="COMPLETE", "NX Complete", Module="nxtransdirect" AND
fstate="CANCELLED", "NX Cancelled", Module="nxtransdirect" AND fstate="DELETE", "NX Delete",
Module="nxtransdirect" AND fstate="DUPLICATE", "NX Duplicate", Module="nxtransdirect" AND fstate="TERMINAL",
"NX Terminal", Module="sep_cid_coversheet" AND fstate="COMPLETE", "Coversheet Complete",
Module="sep_cid_coversheet" AND fstate="CANCELLED", "Coversheet Cancelled", Module="sep_cid_coversheet" AND
fstate="DELETE", "Coversheet Delete", Module="sep_cid_coversheet" AND fstate="DUPLICATE", "Coversheet Duplicate",
Module="sep_cid_coversheet" AND fstate="TERMINAL", "Coversheet Terminal", Module="previewservice" AND fstate="COMPLETE",
"Preview Complete", Module="previewservice" AND fstate="CANCELLED", "Preview Cancelled",
Module="previewservice" AND fstate="DELETE", "Preview Delete", Module="previewservice" AND fstate="DUPLICATE",
"Preview Duplicate", Module="previewservice" AND fstate="TERMINAL", "Preview Terminal",
Module="asyncservice" AND fstate="COMPLETE", "Async Complete", Module="asyncservice" AND fstate="CANCELLED",
"Async Cancelled", Module="asyncservice" AND fstate="DELETE", "Async Delete", Module="asyncservice" AND
fstate="DUPLICATE", "Async Duplicate", Module="asyncservice" AND fstate="TERMINAL", "Async Terminal",Module="contmgmtpublish" AND fstate="COMPLETE", "ContMgmt Complete", Module="contmgmtpublish" AND
fstate="CANCELLED", "ContMgmt Cancelled", Module="contmgmtpublish" AND fstate="DELETE", "ContMgmt Delete",
Module="contmgmtpublish" AND fstate="DUPLICATE", "ContMgmt Duplicate", Module="contmgmtpublish" AND fstate="TERMINAL",
"ContMgmt Terminal",Module="frmstransfer" AND fstate="COMPLETE", "FRMS Complete", Module="frmstransfer" AND
fstate="CANCELLED", "FRMS Cancelled", Module="frmstransfer" AND fstate="DELETE", "FRMS Delete", Module="frmstransfer" AND
fstate="DUPLICATE", "FRMS Duplicate", Module="frmstransfer" AND fstate="TERMINAL", "FRMS Terminal") | stats count by
ModuleANDState
log
column
all
default
0
top
What is your Legend names when your chart is built? They are your field names and should match exactly when you use fieldColors. If you can't control the field names you can directly use seriesColors. The difference with seriesColors commad is that you just define a series of colors and colors are picked one by on for each series.
<query>index="tcpr-dispatcher" host="orl_displogs" Module=proetojt OR Module=nxtransdirect OR Module=sep_cid_coversheet OR Module=previewservice | eval fstate=fstate." - TERMINAL" | stats count by Module, fstate </query>
<option name="charting.fieldColors">
{"Complete": 0x0DFF00, "Terminal": 0xFF0000, "Other":0x0066FF, "NULL":0xC4C4C0}
</option>
I added the above query, however the graphs are still in same color. It does not change the color for TERMINAL fstate (finalstate of a job). Unfortunately, it does not let me add attachment (asking for Karma Point)