Splunk Search

How to sort the result set or remove paging on trellis chart?

New Member

Hi All,

I am trying to create a trellis chart to provide the details of 32 components. Trellis chart is showing just 20 components on a page and the next 12 components are showing on a different page. I would like to remove paging and want to showcase all components on a single page.

I tried to showcase the top usage components at first and least can be on the second page. But, the Trellis chart is not supporting sorting order as well.

Is anybody in the same boat as me? Please suggest.

0 Karma

Super Champion

So there seems to be an issue with the way trellis reacts with sorting.

My best solution for this is to append numbers to the field names before charting them. Something like |eval field=if(field="first_viewed_field","1_first_viewed_field",field="second_viewed_field","1_second_viewed_field",...)

Since you want to view your results by top used to least used, you can utilize streamstats
Something like

 <basesearch that gets you columns with components, counts, and whatever other thing you were charting with (time, maybe)> |sort 0 - count|streamstats count as header by component|eval component=header."-".component|chart values(count) as count by _time(or whatever this was) component

adjust as needed, based on the query you're actually working with - I realize that this is likely not accurate since I'm not sure what you're query or data looks like. If you provide that information, I might be able to help more. this type of strategy, though, should automatically put the fields in a different order.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!