I am attempting to make a trellis visualization off the sample data :
* clientip=*
| iplocation clientip
| lookup prod product_id output product_name
| top product_name limit=5 by Country
This works fine on a historical search. However, if I switch to real-time search the visualization does not display as expected.
Instead of being split by country, the only available "split by" option in the trellis formatting UI is "Aggregations (4)" and 4 bar charts are displayed: product_name, country, count and percent with no y-axis.
The doc page for the trellis visualization seems to suggest that there is something special about the by clause. it returns a list of possible values which the visualization needs to make its charts I guess. And you can see why that might not work with real-time streamed matches. But it is not explicitly called out as being incompatible.
Am I doing something wrong, or is it impossible to make a trellis chart with real-time searches?
... View more