Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change the color of a bar if it is the highest value in the chart?

dbcase
Motivator
‎07-18-2016 10:11 AM

Hi,

I'm trying to figure out a way to change the color of one of the bars in a series to RED if that bar happens to be the highest value vs all the rest of the bars.

I see where you can change the color if the value is in between x and y and that is helpful to learn how the color change can happen, I'm just having trouble figuring out how to get to the highest value.

0 Karma
Reply

somesoni2
Revered Legend
‎07-19-2016 02:56 PM

Give this a try (and use the stacked in the chart's general properly)

index=top10 source=/home/oracle/workdir/account_log.csv OR source=/home/oracle/workdir/reboots_requests_summary.csv |where OBJECT_TYPE="reboot" AND DIFF=""|eval TICKET_CODE_TEXT=case(TICKET_CODE==15395,"15395-Offline Frozen",TICKET_CODE==15396,"15396-Offline Black Screen",TICKET_CODE==15397,"15397-Offline Stuck Booting",TICKET_CODE==15398,"15398-Offline Operational",TICKET_CODE==15399,"15399-Online Frozen",TICKET_CODE==15400,"15400-Online Black Screen",TICKET_CODE==15401,"15401-Online Stuck Booting")|stats dc(PREMISE) as "PREMISE COUNT" by TICKET_CODE_TEXT|sort -"PREMISE COUNT" | eventstats max("PREMISE COUNT") as "PREMISE COUNT (MAX)" | eval "PREMISE COUNT(MAX)"=if('PREMISE COUNT'='PREMISE COUNT (MAX)','PREMISE COUNT (MAX)',0) | eval "PREMISE COUNT"=if('PREMISE COUNT'='PREMISE COUNT (MAX)',0,'PREMISE COUNT')
0 Karma
Reply

dbcase
Motivator
‎07-21-2016 07:57 AM

Interesting idea. Gets closer but it seems to add the first column to all the data points instead of it being just the first one

0 Karma
Reply

dbcase
Motivator
‎07-18-2016 10:58 AM

Sure!!!

index=top10 source=/home/oracle/workdir/account_log.csv OR source=/home/oracle/workdir/reboots_requests_summary.csv |where OBJECT_TYPE="reboot" AND DIFF=""|eval TICKET_CODE_TEXT=case(TICKET_CODE==15395,"15395-Offline Frozen",TICKET_CODE==15396,"15396-Offline Black Screen",TICKET_CODE==15397,"15397-Offline Stuck Booting",TICKET_CODE==15398,"15398-Offline Operational",TICKET_CODE==15399,"15399-Online Frozen",TICKET_CODE==15400,"15400-Online Black Screen",TICKET_CODE==15401,"15401-Online Stuck Booting")|stats dc(PREMISE) as "PREMISE COUNT" by TICKET_CODE_TEXT|sort -"PREMISE COUNT"
0 Karma
Reply

dbcase
Motivator
‎07-18-2016 10:27 AM

Ok little bit of an update. I figured out that I can sort the results so that the first bar will always be the highest value. Which is closer to what I'm looking for. How can I change the color of the 1st bar but only the first bar?

0 Karma
Reply

somesoni2
Revered Legend
‎07-18-2016 10:55 AM

Can you post your current search?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...