Re: color pai in different color by result

sarit_s · ‎11-22-2023

Hello

I have this search :

index="report"
| stats count(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name
| eval exposure_level = case(
    totalNumberOfPatches >= 1 AND totalNumberOfPatches <= 5, "Low Exposure",
    totalNumberOfPatches >= 6 AND totalNumberOfPatches <= 9, "Medium Exposure",
    totalNumberOfPatches >= 10, "High Exposure",
    totalNumberOfPatches == 0, "Compliant",
    1=1, "<not reported>"
  )

and i want to create pai for each exposure_level and color the pai in different color
how can i do it ?

Thanks

ITWhisperer · ‎11-22-2023

What is pai?

sarit_s · ‎11-22-2023

pie chart

ITWhisperer · ‎11-22-2023

Try something like this

index="report"
| stats count(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name
| eval exposure_level = case(
    totalNumberOfPatches >= 1 AND totalNumberOfPatches <= 5, "Low Exposure",
    totalNumberOfPatches >= 6 AND totalNumberOfPatches <= 9, "Medium Exposure",
    totalNumberOfPatches >= 10, "High Exposure",
    totalNumberOfPatches == 0, "Compliant",
    1=1, "<not reported>"
  )
| xyseries Computer_Name exposure_level totalNumberOfPatches

Then set your trellis to be by exposure_level

sarit_s · ‎11-22-2023

Thanks
It looks better
I just want to color the pie in different colors so :

"Low Exposure" - blue
"Medium Exposure" - yellow
"High Exposure" - red
"Compliant" - green
<not reported> - gray
I couldn't find an option to do it

ITWhisperer · ‎11-22-2023

Are you wanting a separate pie chart for each exposure level or a single pie chart where all the counts for each exposure level are combined?

sarit_s · ‎11-22-2023

separate once

ITWhisperer · ‎11-22-2023

So, each pie chart would be all one colour?

sarit_s · ‎11-22-2023

exactly and will show the number of the count for the specific category

ITWhisperer · ‎11-22-2023

Where is category coming from? You only have totalNumberOfPatches, Computer_Name and exposure_level

sarit_s · ‎11-22-2023

sorry , category = exposure_level

ITWhisperer · ‎11-22-2023

Here is a sample dashboard showing how to set the colours for the pie charts using CSS - note that the order of the pie charts in the trellis is assumed to be fixed.

  <row>
    <panel depends="$alwayshide$">
      <html>
        <style>
          #trellis_pie div.facets-container div.viz-panel:nth-child(1) g.highcharts-series path
          {
            fill: red !important;
          }
          #trellis_pie div.facets-container div.viz-panel:nth-child(2) g.highcharts-series path
          {
            fill: green !important;
          }
          #trellis_pie div.facets-container div.viz-panel:nth-child(3) g.highcharts-series path
          {
            fill: blue !important;
          }
          #trellis_pie div.facets-container div.viz-panel:nth-child(4) g.highcharts-series path
          {
            fill: yellow !important;
          }
        </style>
      </html>
    </panel>
    <panel>
      <chart id="trellis_pie">
        <search>
          <query>| makeresults count=100
| fields - _time
| eval Computer_Name=mvindex(split("ABCDE",""),random()%5).mvindex(split("ABCDE",""),random()%5)
| eval Category__Names_of_Patches=mvindex(split("XYZ",""),random()%3)
| stats count(Category__Names_of_Patches) as totalNumberOfPatches by Computer_Name
| eval exposure_level = case(
    totalNumberOfPatches &gt;= 1 AND totalNumberOfPatches &lt;= 5, "Low Exposure",
    totalNumberOfPatches &gt;= 6 AND totalNumberOfPatches &lt;= 9, "Medium Exposure",
    totalNumberOfPatches &gt;= 10, "High Exposure",
    totalNumberOfPatches == 0, "Compliant",
    1=1, "&lt;not reported&gt;"
  )
| stats sum(totalNumberOfPatches) as total by exposure_level
| eval category=exposure_level
| xyseries category exposure_level total</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
      </chart>
    </panel>
  </row>

sarit_s · ‎11-22-2023

Hello

Thanks ! it looks good but i still have few issues :
i configured this :

       <style>
          #trellis_pie div.facets-container div.viz-panel:nth-child(1) g.highcharts-series path
          {
            fill: blue !important;
          }
          #trellis_pie div.facets-container div.viz-panel:nth-child(2) g.highcharts-series path
          {
            fill: yellow !important;
          }
          #trellis_pie div.facets-container div.viz-panel:nth-child(3) g.highcharts-series path
          {
            fill: red !important;
          }
          #trellis_pie div.facets-container div.viz-panel:nth-child(4) g.highcharts-series path
          {
            fill: green !important;
          }
          #trellis_pie div.facets-container div.viz-panel:nth-child(5) g.highcharts-series path
          {
            fill: gray !important;
          }
        </style>

if i understand correctly, the order of the colors is the order of the conditions in the "case"
so, in that case, "High Exposure" supposed to be red but actually its blue, "Low Exposure" supposed to be blue but its yellow and "Medium Exposure" supposed to be yellow but its red, the other two does not shown but it supposed to.
also, i don't see the number of results in the pie, i just see "other" even thought Minimum size set to 0

color pai in different color by result

chart

dashboard

other

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?