Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the Trellis visualisation work with real time searches?

ewan000
Path Finder
‎07-18-2019 08:39 AM

I am attempting to make a trellis visualization off the sample data :

* clientip=* 
| iplocation clientip 
| lookup prod product_id output product_name
| top product_name limit=5 by Country

This works fine on a historical search. However, if I switch to real-time search the visualization does not display as expected.
Instead of being split by country, the only available "split by" option in the trellis formatting UI is "Aggregations (4)" and 4 bar charts are displayed: product_name, country, count and percent with no y-axis.

The doc page for the trellis visualization seems to suggest that there is something special about the by clause. it returns a list of possible values which the visualization needs to make its charts I guess. And you can see why that might not work with real-time streamed matches. But it is not explicitly called out as being incompatible.

Am I doing something wrong, or is it impossible to make a trellis chart with real-time searches?

0 Karma
Reply

ewan000
Path Finder
‎07-18-2019 08:46 AM

update - when you stop the search it generates the charts correctly

0 Karma
Reply

niketn
Legend
‎07-20-2019 09:26 AM

@ewan000 Trellis Layout with Real-Time Search works fine for me.

Could you share more details about your dashboard? Which Splunk version are you using? What is search query, which trellis visualization and also how much data, time window are you looking at? Simple XML code snippet and sample data would help us assist you better. Please mock/anonymize any sensitive information before posting the same on Splunk Answers.

Also, instead of real-time search can you try relative-time search with a search refresh for specific time interval like 1 min or 5 min?

      <refresh>5m</refresh>
      <refreshType>delay</refreshType>

If you feel this is a bug in Trellis behavior with real-time search you should reach out to Splunk Support Team with your Splunk entitlement and raise a case for the same. Also add a BUG tag to this question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

KailA
Contributor
‎07-19-2019 08:43 AM

Its maybe a problem with the lookup.
Can you add this to your lookup command:

| lookup prod product_id output product_name append=true

Let me know if it help you !

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...