single value visualization sorting issue

Puvi · ‎11-29-2019

Hi,

i have a query which sorts the results, but when i change it to single value its not getting sorted
can anyone help in this?

woodcock · ‎12-01-2019

The trellis (and other) features will resort your stuff alphabetically so if you need to keep certain things in front, you need to add a series of leading spaces to the value, which will cause them to remain sorted your way but still appear the same when used as a field name, something like this:

| makeresults count=5
| streamstats count
| eval sortmebad=case(count==1, "one", count==2, "two", count==3, "three", count==4, "four", true(), "five")
| eval sortmegood=case(count==1, "    one", count==2, "   two", count==3, "  three", count==4, " four", true(), "five")
| multireport
[ | sort 0 sortmebad | eval sortmegood=null() ]
[ | sort 0 sortmegood | eval sortmebad=null() ]

niketn · ‎12-01-2019

@Puvi is it Single Value with Trellis Layout?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Puvi · ‎12-01-2019

yes it is using trells layout

richgalloway · ‎11-29-2019

What is the query?

---
If this reply helps you, Karma would be appreciated.

single value visualization sorting issue

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup