Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does the Trellis visualisation work with real time searches?

ewan000
Path Finder
‎07-18-2019 08:39 AM

I am attempting to make a trellis visualization off the sample data :

* clientip=* 
| iplocation clientip 
| lookup prod product_id output product_name
| top product_name limit=5 by Country

This works fine on a historical search. However, if I switch to real-time search the visualization does not display as expected.
Instead of being split by country, the only available "split by" option in the trellis formatting UI is "Aggregations (4)" and 4 bar charts are displayed: product_name, country, count and percent with no y-axis.

The doc page for the trellis visualization seems to suggest that there is something special about the by clause. it returns a list of possible values which the visualization needs to make its charts I guess. And you can see why that might not work with real-time streamed matches. But it is not explicitly called out as being incompatible.

Am I doing something wrong, or is it impossible to make a trellis chart with real-time searches?

0 Karma
Reply

ewan000
Path Finder
‎07-18-2019 08:46 AM

update - when you stop the search it generates the charts correctly

0 Karma
Reply

niketn
Legend
‎07-20-2019 09:26 AM

@ewan000 Trellis Layout with Real-Time Search works fine for me.

Could you share more details about your dashboard? Which Splunk version are you using? What is search query, which trellis visualization and also how much data, time window are you looking at? Simple XML code snippet and sample data would help us assist you better. Please mock/anonymize any sensitive information before posting the same on Splunk Answers.

Also, instead of real-time search can you try relative-time search with a search refresh for specific time interval like 1 min or 5 min?

      <refresh>5m</refresh>
      <refreshType>delay</refreshType>

If you feel this is a bug in Trellis behavior with real-time search you should reach out to Splunk Support Team with your Splunk entitlement and raise a case for the same. Also add a BUG tag to this question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

KailA
Contributor
‎07-19-2019 08:43 AM

Its maybe a problem with the lookup.
Can you add this to your lookup command:

| lookup prod product_id output product_name append=true

Let me know if it help you !

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...