How to split query result like using Trellis of V...

mihir_hardas · ‎05-19-2022

A search query in Dashobard Classic when split by Trellis in Visualization tab i gives 4 pie charts

index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta
| eval accuracy_category = case( abs(lastEndDelta) <= 600, 10, (abs(lastEndDelta) > 600 and abs(lastEndDelta) <= 1200), 20, (abs(lastEndDelta) > 1200 and abs(lastEndDelta) <= 1800), 30, 1==1,40)
| eval timeDistance_category = case(timeDistance < 3600, 1, (timeDistance>3600 and timeDistance<7200),2,(timeDistance>7200 and timeDistance<10800),3,1==1,4)

| chart count by accuracy_category

But if the same is embedded in Dashboard Studio I have to add a where clause to create the query result in 4 parts to get 4 pie charts becuase I cannot find Trellis option.

How to get 4 piecharts ( split by ... Trellis ) in Dashboard Studio ?

| where timeDistance_category=1

mihir_hardas · ‎05-19-2022

Thank you for your note. Since Trellis is not available in Dashboard Studio, what should be a good recommended workaround ?

somesoni2 · ‎05-20-2022

I've not got a chance to play around with it, but I believe best option would be to use chained searches (similar to post-process in Classic dashboard). This way you'd be running one main search and then filter/branch out results from that search (in your case, different where clause). See more here:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/DashStudio/dsChain

somesoni2 · ‎05-19-2022

Trellies are not supported on Dashboard Studio and AFAIK, there are no alternatives yet.

How to split query result like using Trellis of Visualizatoin in search in Dashboard Studio

Dashboard Studio

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes