Sorting Tricks with Splunk Single Value Visualization in Trellis View based on Count

Sorting Tricks with Splunk Single Value Visualization in Trellis View based on Count

In the case of single-value trellis visualization, Splunk will sorts the split-by field in increasing order by default. However, if we need to classify the non-split-by field means on basis of the count.

split 

Let’s have a sample query

query 2 

If the single-value trellis visualization will be created it would look the same as this.

 single value trellis visualization 

As seen in this example the “method” field remains a split-by field.  That is why through default sorting it’s affected via “method” field values.  If you need to do the sorting depending on “count” field values, you will have 2 solutions for this issue. The solutions are as follows. 

Solution one

Replace your search query with this.

Solution one 

As known, Splunk will automatically sort split-by-field. Therefore, what can one do at first sort “count” field as per the requirement then depending on that sorting append 1,2,3,…… using the split via field values. After all that, you can bring every “method” field-values in X-axis. This means that every value will be transferred to various columns & you’ll get a corresponding “count” for specific method values. In this case flower bracket ( {} ) is used with eval command.

Rename Field(column) Names Dynamically In Splunk Donut – Custom Visualization

Custom Visualization 

Take a look into visualization

visualization

 Remember, when you will have more than 10 values in a split-by field then you need to substitute 1,2,…. up to 9 values at ‘AA’ field using 01,02,…..09 correspondingly.

Now there’s one disadvantage with this approach. We require to append 1,2,3….. Occasionally this is undesirable. There is another different way of doing it. You will use a different query this time. This will be visualized excellently.

Solution two

Solution two 

In this case, you will be appending space instead of appending numbers. The result will appear like this.

new search 2 

The visualization will be

Implement any of the two mentioned processes

Implement any of the two mentioned processes described above as per the requirement.

Terry White

Terry White is a professional Drupal & WordPress developer, Web developer, Web designer, Software Engineer, and Blogger. He strives for pixel-perfect design, clean robust code, and a user-friendly interface. If you have a project in mind and like his work, feel free to contact him

View all posts by Terry White →