The Status Indicator app is not showing the results in the sorted manner when displaying the visualization in trellis format. I have a search whose output is in the sorted order like belo : (image attached)
When I apply status indicator app viz, it takes random order like below: (image attached)
How can this be fixed? Please help. I want to show the order as per the search result.
Attached are the images for the issue.
![alt text][2] [2]: /storage/temp/291860-status-indicator-improper-order.png
[UPDATED ANSWER] As per original question there were only four splits, however, if there are more then padding is required to override alphanumeric sorting as per our need. If you have data till two digits precision following will be required | eval sort_field=printf("%2d",sort_field)
, where %2
, takes care of ensuring up to 99
splits sorting will work fine! If you need sorting till 999
, you would need to use %3
| streamstats count as sort_field
| eval sort_field=printf("%2d",sort_field), indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators
@pgadhari try the following as the only workaround I know right now:
<yourCurrentSearch>
| eval indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators
[UPDATED ANSWER] As per original question there were only four splits, however, if there are more then padding is required to override alphanumeric sorting as per our need. If you have data till two digits precision following will be required | eval sort_field=printf("%2d",sort_field)
, where %2
, takes care of ensuring up to 99
splits sorting will work fine! If you need sorting till 999
, you would need to use %3
| streamstats count as sort_field
| eval sort_field=printf("%2d",sort_field), indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators
@pgadhari try the following as the only workaround I know right now:
<yourCurrentSearch>
| eval indicators=sort_field.". ".indicators
| stats sum(value) as value last(icon) as icon by indicators
@niketnilay - there is one issue here, if the number of values goes beyond 9, then it shows the trellis in following format :
1.value 10.value 2.value 3.value.....
In my case I want to show 10 values in a trellis format, when I add the above search to my query it shows above result, ideally it shud show :
How to fix that ?
as sort works in Lexicographical order, it is showing 1, then 10, then 2,3,4,5... and so on. I have attached image for your reference :
@niketnilay - I have added the trellis output image at the top in my original question. Please have a look. Thanks.
I have already updated my answer. Did you try with | eval sort_field=printf("%2d",sort_field)
?
yes @niketnilay - this is working like a charm. Excellent answer as always. Thank you very much.
By the way, one small query,is there any other icon-library that I can use for showing icons in Status-indicator app instead of the default icons which are there or default icons of the Splunk as per from below URL :
/en-US/static/docs/style/style-guide.html#icons
I want to use some other icons that will properly explain the dashboard, please let me know if there is any other icon library I can use ?
Actually Status Indicator gives you access to a lot of icons from the Font Awesome library ( it will not be the latest version though). So you need to test and see which one are actually available.
https://fontawesome.com/icons?d=gallery
There are several Splunk Answers or font awesome custom icons.
ok thanks I will have a look at it. Thanks for all your prompt responses and support. Appreciate it.