Splunk Search

How to sort the result set or remove paging on trellis chart?

New Member

Hi All,

I am trying to create a trellis chart to provide the details of 32 components. Trellis chart is showing just 20 components on a page and the next 12 components are showing on a different page. I would like to remove paging and want to showcase all components on a single page.

I tried to showcase the top usage components at first and least can be on the second page. But, the Trellis chart is not supporting sorting order as well.

Is anybody in the same boat as me? Please suggest.

0 Karma

Super Champion

So there seems to be an issue with the way trellis reacts with sorting.

My best solution for this is to append numbers to the field names before charting them. Something like |eval field=if(field="first_viewed_field","1_first_viewed_field",field="second_viewed_field","1_second_viewed_field",...)

Since you want to view your results by top used to least used, you can utilize streamstats
Something like

 <basesearch that gets you columns with components, counts, and whatever other thing you were charting with (time, maybe)> |sort 0 - count|streamstats count as header by component|eval component=header."-".component|chart values(count) as count by _time(or whatever this was) component

adjust as needed, based on the query you're actually working with - I realize that this is likely not accurate since I'm not sure what you're query or data looks like. If you provide that information, I might be able to help more. this type of strategy, though, should automatically put the fields in a different order.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...