Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

single value visualization sorting issue

Puvi
New Member
‎11-29-2019 02:42 AM

Hi,

i have a query which sorts the results, but when i change it to single value its not getting sorted
can anyone help in this?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2019 02:34 PM

The trellis (and other) features will resort your stuff alphabetically so if you need to keep certain things in front, you need to add a series of leading spaces to the value, which will cause them to remain sorted your way but still appear the same when used as a field name, something like this:

| makeresults count=5
| streamstats count
| eval sortmebad=case(count==1, "one", count==2, "two", count==3, "three", count==4, "four", true(), "five")
| eval sortmegood=case(count==1, "    one", count==2, "   two", count==3, "  three", count==4, " four", true(), "five")
| multireport
[ | sort 0 sortmebad | eval sortmegood=null() ]
[ | sort 0 sortmegood | eval sortmebad=null() ]
Reply

niketn
Legend
‎12-01-2019 07:23 AM

@Puvi is it Single Value with Trellis Layout?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Puvi
New Member
‎12-01-2019 09:25 PM

yes it is using trells layout

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2019 08:14 PM

What is the query?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...