I have seen [this question][1] and [this docs page][2], together with a few other questions on the topic, but I am having some issues getting this to work on a new dashboard panel. The underlying search string is this:
sourcetype="csv" QuestionNumber=1 | stats count by Answer | sort -count
And the results are of the following form:
-------------------------
Answer | count
-------------------------
Very good | 100
Good | 200
Ok | 50
Bad | 9
Very bad | 2
In the bar graph that gets created from this table, I would like the bars for "Bad" and "Very Bad" to be displayed in red, the one for "Ok" in yellow and the ones for "Good" and "Very good" in green. This is the XML code for this dashboard panel (I have removed some lines that are not relevant):
Test source="/sourcetype="csv" QuestionNumber=1 | stats count by Answer| sort -count
| eval bad = if(Answer=="Very bad" OR Answer=="Bad",AnswerCode,null())
| eval ok = if(Answer=="Ok",AnswerCode,null())
| eval good = if(Answer=="Very good" OR Answer=="Good",AnswerCode,null()) |
But the colors don't change with this. If I use the count value as the value to check against, this is working, so I am thinking I might be overseeing something very obvious...
**Update**
After the suggestions below, I have updated my search to the following:
source=sourcetype="csv" QuestionNumber=1
| eval bad = if(Answer=="Very bad" OR Answer=="Bad",1,0)
| eval ok = if(Answer=="Ok",1,0)
| eval good = if(Answer=="Very good" OR Answer=="Good",1,0)
| stats count by bad ok good| sort -count
And now I get the opposite result: the whole chart is red :D Also, there is no "bad" level, but I see a "count" label, which shouldn't be there.
![alt text][3]
[1]: https://answers.splunk.com/answers/58335/change-chart-bar-color-based-on-data-value.html
[2]: http://docs.splunk.com/Documentation/Splunk/6.1/Viz/BuildandeditdashboardswithSimplifiedXML#Specify_custom_colors_for_fields_in_charts
[3]: /storage/temp/79194-screen-shot-2015-12-28-at-152324.png
↧