Re: How to split query result like using Trellis ...

mihir_hardas · ‎05-19-2022

A search query in Dashobard Classic when split by Trellis in Visualization tab i gives 4 pie charts

index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta
| eval accuracy_category = case( abs(lastEndDelta) <= 600, 10, (abs(lastEndDelta) > 600 and abs(lastEndDelta) <= 1200), 20, (abs(lastEndDelta) > 1200 and abs(lastEndDelta) <= 1800), 30, 1==1,40)
| eval timeDistance_category = case(timeDistance < 3600, 1, (timeDistance>3600 and timeDistance<7200),2,(timeDistance>7200 and timeDistance<10800),3,1==1,4)

| chart count by accuracy_category

But if the same is embedded in Dashboard Studio I have to add a where clause to create the query result in 4 parts to get 4 pie charts becuase I cannot find Trellis option.

How to get 4 piecharts ( split by ... Trellis ) in Dashboard Studio ?

| where timeDistance_category=1

mihir_hardas · ‎05-19-2022

Thank you for your note. Since Trellis is not available in Dashboard Studio, what should be a good recommended workaround ?

somesoni2 · ‎05-20-2022

I've not got a chance to play around with it, but I believe best option would be to use chained searches (similar to post-process in Classic dashboard). This way you'd be running one main search and then filter/branch out results from that search (in your case, different where clause). See more here:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/DashStudio/dsChain

somesoni2 · ‎05-19-2022

Trellies are not supported on Dashboard Studio and AFAIK, there are no alternatives yet.

How to split query result like using Trellis of Visualizatoin in search in Dashboard Studio

Dashboard Studio

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?