Getting Data In

In a trellis layout, how come the "split by" field is only showing "Aggregations"?

jrico8
Engager

I have some data which I have arranged in a table format, the names and [types] of which are as follows:

error_type [string], timeBin [number], error_id [number], numErrors [number], env [one of 4 different strings]

I do some work to extract the data I want, and then I run "table error_type, timeBin, error_id, numErrors, env" to obtain the layout above. I set the visualization to Bubble Chart and this works just fine: I get timeBin on the x-axis, error_id on the y-axis, circle size based on numErrors, and coloring based on error_type. The field "env" is ignored.

Now, I want to set up a trellis layout for this data, such that it's split into 4 Bubble Charts based on the 4 different string values of the field "env". I would expect to do this by setting "Split by" to "env", but I only have the option of splitting by "Aggregations". I even tried adding the option manually through XML:

<option name="trellis.splitBy">env</option>

However, this results in an empty chart display. I'm kind of stumped as to how the trellis layout decides what fields it can split by and how to do so.

Any help is much appreciated.

1 Solution

niketn
Legend

@jrico8, you would need to split your results using by field. Depending on your use case stats, chart or timechart command should be present in the end.

Following is a run anywhere example based on Splunk's _internal index which can plot Bubble chart for various HTTP Error status. Please try out and confirm the two approaches mentioned. For simplicity I have duplicated status field. However you can split by env field as per your data and error type can be used to categorize the events (bubbles).

<dashboard>
  <label>Trellis Bubble Chart</label>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 1</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| eval status_for_trellis_split=status
| stats count sum(bytes) as "Total Bytes" by status_for_trellis_split, status, date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 2</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| stats count sum(bytes) as bytes by status, date_hour
| eval status_for_trellis_split=status
| stats sum(count) sum(bytes) as "Total Bytes" by status_for_trellis_split status date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@jrico8, you would need to split your results using by field. Depending on your use case stats, chart or timechart command should be present in the end.

Following is a run anywhere example based on Splunk's _internal index which can plot Bubble chart for various HTTP Error status. Please try out and confirm the two approaches mentioned. For simplicity I have duplicated status field. However you can split by env field as per your data and error type can be used to categorize the events (bubbles).

<dashboard>
  <label>Trellis Bubble Chart</label>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 1</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| eval status_for_trellis_split=status
| stats count sum(bytes) as "Total Bytes" by status_for_trellis_split, status, date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 2</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| stats count sum(bytes) as bytes by status, date_hour
| eval status_for_trellis_split=status
| stats sum(count) sum(bytes) as "Total Bytes" by status_for_trellis_split status date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jrico8
Engager

Thanks! I ended up not really needing a Trellis layout here. However, I can confirm that the fields you want Trellis to split by need to be formed with a "by" clause.

The deeper issue here, I think, is that it's not immediately clear as a user what makes fields formed with a "by" clause special. I suspect the reasoning here is that "by" clauses pre-inform Splunk about all the possible values of the field, which it can then use for the Trellis split. However, I don't really see a reason why this can't be done for any field, regardless of whether it was created with a "by" clause.

0 Karma

mikeydee
Explorer

Very useful post. I got here from spending an afternoon unable to get a drilldown working from trellis'd single value to another dashboard. Each time you click, the $trellis.value$ was not populated. It was because I had a table command following my final stats command. Replacing the table with a refined stats command sorted it out. Thanks for your answer.

Sharzi
Explorer

I had the same problem, but I wasn't aware of "$trellis.value$"!  It solved my problem. Thanks!

0 Karma

niketn
Legend

@mikeydee I am glad you found this useful 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@jrico8, it would be a question for Splunk team to confirm the details of actual Trellis implementation. However, the concept of split by should make sense. The way we split the results by an aggregate field/s, similar way Trellis splits built in visualizations by the same aggregate field/s.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vxsplunk
Explorer

If my understanding of Trellis is right, you cannot use the trellis layout on a table:

Trellis layout is not available for table visualizations or cluster maps.
http://docs.splunk.com/Documentation/Splunk/7.2.0/Viz/VisualizationTrellis#Access_the_trellis_layout...

Can you use stats ? Like: .. | stats count by env

0 Karma

niketn
Legend

@vxsplunk, the meaning the above limitation for Trellis layout has been listed out for table visualization and map visualization. Not for table command. However, for splits to work transforming command should have split by field. Hence you are right that use of stats would work provided it has aggregation by field.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vxsplunk
Explorer

@niketnilay Thnx for your feedback!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...