Splunk Search

Does the Trellis visualisation work with real time searches?

Path Finder

I am attempting to make a trellis visualization off the sample data :

* clientip=* 
| iplocation clientip 
| lookup prod product_id output product_name
| top product_name limit=5 by Country

This works fine on a historical search. However, if I switch to real-time search the visualization does not display as expected.
Instead of being split by country, the only available "split by" option in the trellis formatting UI is "Aggregations (4)" and 4 bar charts are displayed: product_name, country, count and percent with no y-axis.

The doc page for the trellis visualization seems to suggest that there is something special about the by clause. it returns a list of possible values which the visualization needs to make its charts I guess. And you can see why that might not work with real-time streamed matches. But it is not explicitly called out as being incompatible.

Am I doing something wrong, or is it impossible to make a trellis chart with real-time searches?

0 Karma

Path Finder

update - when you stop the search it generates the charts correctly

0 Karma

@ewan000 Trellis Layout with Real-Time Search works fine for me.

Could you share more details about your dashboard? Which Splunk version are you using? What is search query, which trellis visualization and also how much data, time window are you looking at? Simple XML code snippet and sample data would help us assist you better. Please mock/anonymize any sensitive information before posting the same on Splunk Answers.

Also, instead of real-time search can you try relative-time search with a search refresh for specific time interval like 1 min or 5 min?


If you feel this is a bug in Trellis behavior with real-time search you should reach out to Splunk Support Team with your Splunk entitlement and raise a case for the same. Also add a BUG tag to this question.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


Its maybe a problem with the lookup.
Can you add this to your lookup command:

| lookup prod product_id output product_name append=true

Let me know if it help you !

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...