Change bar color in bar chart based on job status in Splunk Dashboard

Question

Change bar color in bar chart based on job status.

I get below messages:

Job XYZ Finished in 275 seconds
Job XYZ Finished with errors in 454 seconds
Job XYZ Finished in 473 seconds

I tried different way but it's not working out, Can anyone help on it? Thank

index=stg_index "Job Finished in" OR "Job Finished with errors in" 
| rex "in (?<Num>[^\s]+) seconds" 
| timechart values(Num) as ExecutionTime span=60min 
| sort _time

Answer 1

We need to split the job statuses into different series (e.g. failed and ok). Here is a run anywhere example based off your initial search:

| makeresults
| eval sample = "Job XYZ Finished in 275 seconds|Job XYZ Finished with errors in 454 seconds|Job XYZ Finished in 473 seconds"
| makemv sample delim="|"
| mvexpand sample
| eval _time = _time - random() / 100000
| rename sample as _raw
| rex "in (?<exec_time>[^\s]+) seconds"
| rex "Finished with (?<status>error)"
| fillnull value="ok" status
| timechart span=60min max(exec_time) as ExecutionTime by status

Here is a specific adaptation of your initial search:

index=stg_index "Job Finished in" OR "Job Finished with errors in"
| rex "in (?<Num>[^\s]+) seconds"
| rex "Finished with (?<status>error)"
| fillnull value="ok" status
| timechart span=60min values(Num) as ExecutionTime by status

By default Splunk will give each series a different colour. If you specifically want it to be red then you'll need to save your search in a dashboard. To add specific colours to a simple XML dashboard then you can add the following tag to the XML, here is a red and green example:

<option name="charting.fieldColors">{"failed":#FF0000,"ok":#007840}</option>

Also FYI, using values(Num) in a timechart might cause a particular entry to be hidden if two or more events reside in the same span within the same series. Consider using max(Num), min(Num) or avg(Num) depending on the context of your dashboard.