All Apps and Add-ons

Status Indicator - Custom Visualization App: Not sorting results while displaying values in the visualization?

pgadhari
Builder

The Status Indicator app is not showing the results in the sorted manner when displaying the visualization in trellis format. I have a search whose output is in the sorted order like belo : (image attached)

  1. Total Divisions
  2. Total Systems
  3. Total Equipments
  4. Overall Initiatives

When I apply status indicator app viz, it takes random order like below: (image attached)

  1. Overall Initiatives
  2. Total Divisions
  3. Total Equipments
  4. Total Systems

How can this be fixed? Please help. I want to show the order as per the search result.
Attached are the images for the issue.

![alt text][2] [2]: /storage/temp/291860-status-indicator-improper-order.png

alt text

Labels (2)
0 Karma
1 Solution

niketn
Legend

[UPDATED ANSWER] As per original question there were only four splits, however, if there are more then padding is required to override alphanumeric sorting as per our need. If you have data till two digits precision following will be required | eval sort_field=printf("%2d",sort_field), where %2, takes care of ensuring up to 99 splits sorting will work fine! If you need sorting till 999, you would need to use %3

| streamstats count as sort_field
| eval sort_field=printf("%2d",sort_field), indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators

@pgadhari try the following as the only workaround I know right now:

<yourCurrentSearch>
| eval indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

[UPDATED ANSWER] As per original question there were only four splits, however, if there are more then padding is required to override alphanumeric sorting as per our need. If you have data till two digits precision following will be required | eval sort_field=printf("%2d",sort_field), where %2, takes care of ensuring up to 99 splits sorting will work fine! If you need sorting till 999, you would need to use %3

| streamstats count as sort_field
| eval sort_field=printf("%2d",sort_field), indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators

@pgadhari try the following as the only workaround I know right now:

<yourCurrentSearch>
| eval indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pgadhari
Builder

@niketnilay - there is one issue here, if the number of values goes beyond 9, then it shows the trellis in following format :

1.value 10.value 2.value 3.value.....

In my case I want to show 10 values in a trellis format, when I add the above search to my query it shows above result, ideally it shud show :

  1. value 2.value 3.value.... 10.value

How to fix that ?

0 Karma

pgadhari
Builder

as sort works in Lexicographical order, it is showing 1, then 10, then 2,3,4,5... and so on. I have attached image for your reference :

0 Karma

pgadhari
Builder

@niketnilay - I have added the trellis output image at the top in my original question. Please have a look. Thanks.

0 Karma

niketn
Legend

I have already updated my answer. Did you try with | eval sort_field=printf("%2d",sort_field)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pgadhari
Builder

yes @niketnilay - this is working like a charm. Excellent answer as always. Thank you very much.

By the way, one small query,is there any other icon-library that I can use for showing icons in Status-indicator app instead of the default icons which are there or default icons of the Splunk as per from below URL :

/en-US/static/docs/style/style-guide.html#icons

I want to use some other icons that will properly explain the dashboard, please let me know if there is any other icon library I can use ?

0 Karma

niketn
Legend

Actually Status Indicator gives you access to a lot of icons from the Font Awesome library ( it will not be the latest version though). So you need to test and see which one are actually available.
https://fontawesome.com/icons?d=gallery
There are several Splunk Answers or font awesome custom icons.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pgadhari
Builder

ok thanks I will have a look at it. Thanks for all your prompt responses and support. Appreciate it.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...