Hi Splunkers,
I have the below query
( (index=xxx sourcetype=xxx severity=xxx intelId=xxx ) ) | eval intelId = case(match(intelId ,"xxx"),"Test1",match(intelId ,"XX"),"Test2") | eval intelId = severity+":"+intelId | timechart usenull=f span=1d count by intelId
So this query gives me the information in a chart with serverity+ the field name, for example for INFO it will INFO: Test1.
I was trying to give colors to the column chart with the following condition
"{"ERROR:":0xcc0000,"FATAL:":0xff9900,"INFO:":0x339933,"DEBUG:":0x6699ff}"
My goal is to achieve color based on the severity - But the above option doesn't seem to work.
Any inputs on this are much appreciated.
Thanks | RD
... View more