I've seen a few posts on this topic but couldn't find an answer that fits my use case. 

How can I change the sort order of data in a Trell... - Splunk Community This one suggests adding spaces before the aggregated field but uses static data.

I have a single value trellis visualization on a dashboard that updates based on time-range radio buttons. The values change every few days so I need a solution that is flexible with data updates.

| my search
| stats count(Alert) as Alerts by App

The results have between 15-40 Apps, depending on time-range, that have values from 1-40. Since the treillis will only show 20 results on the first page, it would be much better to show the highest values first instead of alphabetical order of the App names.

I tried adding an eval statement at the end to assign the values to each App but this sorts it from lowest to highest and doesn't account for double digits correctly. Sorting them 1, 14, 2, 23, 3, 35, 38, 4, 41

| my search
| stats count(Alert) as Alerts by App
| eval App="(".Alerts.") ".App
| stats values(Alerts) by App

If there isn't a direct way to sort by value, I feel like this is on the right path but not quite right.

How to sort on single value in trellis? - Splunk Community This seems to be inline with my train of thought but not sure how the "severity" field is generated.