Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Sort single value trellis by value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've seen a few posts on this topic but couldn't find an answer that fits my use case.
How can I change the sort order of data in a Trell... - Splunk Community This one suggests adding spaces before the aggregated field but uses static data.
I have a single value trellis visualization on a dashboard that updates based on time-range radio buttons. The values change every few days so I need a solution that is flexible with data updates.
| my search
| stats count(Alert) as Alerts by App
The results have between 15-40 Apps, depending on time-range, that have values from 1-40. Since the treillis will only show 20 results on the first page, it would be much better to show the highest values first instead of alphabetical order of the App names.
I tried adding an eval statement at the end to assign the values to each App but this sorts it from lowest to highest and doesn't account for double digits correctly. Sorting them 1, 14, 2, 23, 3, 35, 38, 4, 41
| my search
| stats count(Alert) as Alerts by App
| eval App="(".Alerts.") ".App
| stats values(Alerts) by App
If there isn't a direct way to sort by value, I feel like this is on the right path but not quite right.
How to sort on single value in trellis? - Splunk Community This seems to be inline with my train of thought but not sure how the "severity" field is generated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works but is a pretty lengthy solution once the values start getting larger:
| stats count(Alert) as Alerts by App
| eval order=case(Alert=1, "1", Alert=2, "2", Alert=3, "3", Alert=4, "4")
| eval App=printf("%*s", len(App)+order, App)
| stats values(Alerts) by App
If anyone has a simplified solution I'd appreciate it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works but is a pretty lengthy solution once the values start getting larger:
| stats count(Alert) as Alerts by App
| eval order=case(Alert=1, "1", Alert=2, "2", Alert=3, "3", Alert=4, "4")
| eval App=printf("%*s", len(App)+order, App)
| stats values(Alerts) by App
If anyone has a simplified solution I'd appreciate it
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
