single value visualization sorting issue

Puvi · ‎11-29-2019

Hi,

i have a query which sorts the results, but when i change it to single value its not getting sorted
can anyone help in this?

woodcock · ‎12-01-2019

The trellis (and other) features will resort your stuff alphabetically so if you need to keep certain things in front, you need to add a series of leading spaces to the value, which will cause them to remain sorted your way but still appear the same when used as a field name, something like this:

| makeresults count=5
| streamstats count
| eval sortmebad=case(count==1, "one", count==2, "two", count==3, "three", count==4, "four", true(), "five")
| eval sortmegood=case(count==1, "    one", count==2, "   two", count==3, "  three", count==4, " four", true(), "five")
| multireport
[ | sort 0 sortmebad | eval sortmegood=null() ]
[ | sort 0 sortmegood | eval sortmebad=null() ]

niketn · ‎12-01-2019

@Puvi is it Single Value with Trellis Layout?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Puvi · ‎12-01-2019

yes it is using trells layout

richgalloway · ‎11-29-2019

What is the query?

---
If this reply helps you, Karma would be appreciated.

single value visualization sorting issue

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

single value visualization sorting issue

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant