Getting Data In

In a trellis layout, how come the "split by" field is only showing "Aggregations"?

Engager

I have some data which I have arranged in a table format, the names and [types] of which are as follows:

error_type [string], timeBin [number], error_id [number], numErrors [number], env [one of 4 different strings]

I do some work to extract the data I want, and then I run "table error_type, timeBin, error_id, numErrors, env" to obtain the layout above. I set the visualization to Bubble Chart and this works just fine: I get timeBin on the x-axis, error_id on the y-axis, circle size based on numErrors, and coloring based on error_type. The field "env" is ignored.

Now, I want to set up a trellis layout for this data, such that it's split into 4 Bubble Charts based on the 4 different string values of the field "env". I would expect to do this by setting "Split by" to "env", but I only have the option of splitting by "Aggregations". I even tried adding the option manually through XML:

<option name="trellis.splitBy">env</option>

However, this results in an empty chart display. I'm kind of stumped as to how the trellis layout decides what fields it can split by and how to do so.

Any help is much appreciated.

0 Karma
1 Solution

Legend

@jrico8, you would need to split your results using by field. Depending on your use case stats, chart or timechart command should be present in the end.

Following is a run anywhere example based on Splunk's _internal index which can plot Bubble chart for various HTTP Error status. Please try out and confirm the two approaches mentioned. For simplicity I have duplicated status field. However you can split by env field as per your data and error type can be used to categorize the events (bubbles).

<dashboard>
  <label>Trellis Bubble Chart</label>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 1</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| eval status_for_trellis_split=status
| stats count sum(bytes) as "Total Bytes" by status_for_trellis_split, status, date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 2</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| stats count sum(bytes) as bytes by status, date_hour
| eval status_for_trellis_split=status
| stats sum(count) sum(bytes) as "Total Bytes" by status_for_trellis_split status date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Legend

@jrico8, you would need to split your results using by field. Depending on your use case stats, chart or timechart command should be present in the end.

Following is a run anywhere example based on Splunk's _internal index which can plot Bubble chart for various HTTP Error status. Please try out and confirm the two approaches mentioned. For simplicity I have duplicated status field. However you can split by env field as per your data and error type can be used to categorize the events (bubbles).

<dashboard>
  <label>Trellis Bubble Chart</label>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 1</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| eval status_for_trellis_split=status
| stats count sum(bytes) as "Total Bytes" by status_for_trellis_split, status, date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Trellis Bubble Chart Option 2</title>
        <search>
          <query>index=_internal sourcetype=splunkd_access status!=200
| stats count sum(bytes) as bytes by status, date_hour
| eval status_for_trellis_split=status
| stats sum(count) sum(bytes) as "Total Bytes" by status_for_trellis_split status date_hour</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.size">medium</option>
        <option name="height">235</option>
      </chart>
    </panel>
  </row>
</dashboard>

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Engager

Thanks! I ended up not really needing a Trellis layout here. However, I can confirm that the fields you want Trellis to split by need to be formed with a "by" clause.

The deeper issue here, I think, is that it's not immediately clear as a user what makes fields formed with a "by" clause special. I suspect the reasoning here is that "by" clauses pre-inform Splunk about all the possible values of the field, which it can then use for the Trellis split. However, I don't really see a reason why this can't be done for any field, regardless of whether it was created with a "by" clause.

0 Karma

Explorer

Very useful post. I got here from spending an afternoon unable to get a drilldown working from trellis'd single value to another dashboard. Each time you click, the $trellis.value$ was not populated. It was because I had a table command following my final stats command. Replacing the table with a refined stats command sorted it out. Thanks for your answer.

Legend

@mikeydee I am glad you found this useful 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Legend

@jrico8, it would be a question for Splunk team to confirm the details of actual Trellis implementation. However, the concept of split by should make sense. The way we split the results by an aggregate field/s, similar way Trellis splits built in visualizations by the same aggregate field/s.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

If my understanding of Trellis is right, you cannot use the trellis layout on a table:

Trellis layout is not available for table visualizations or cluster maps.
http://docs.splunk.com/Documentation/Splunk/7.2.0/Viz/VisualizationTrellis#Access_the_trellis_layout...

Can you use stats ? Like: .. | stats count by env

0 Karma

Legend

@vxsplunk, the meaning the above limitation for Trellis layout has been listed out for table visualization and map visualization. Not for table command. However, for splits to work transforming command should have split by field. Hence you are right that use of stats would work provided it has aggregation by field.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

@niketnilay Thnx for your feedback!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!