Spread our blog

Sorting Tricks With Splunk Single Value Visualization In Trellis View On The Basis Of Count

Hello Everyone today we have come with another interesting topic of Splunk. As we all know in case of single value trellis visualization by default Splunk sorts the split-by field in ascending order. But what if we want to sort the non-split-by field means on the basis of count.
Let’s take an example.

1
Now I think you got my point; we want to achieve the second scenario where we will do the sorting on non-split-by fields.
Let’s take a sample query as follows :

index=_internal sourcetype=splunkd_ui_access 
| stats count by method

Now if we create the single value trellis visualization it will look like this.
3

2

Here one can see that the “method” field is a split-by field, that’s why by default sorting is affected by “method” field values.
Now if you want to do the sorting based on “count” field values.  There are two solutions for this problem. Those are follows :

Solution 1:
Now replace your search query with this,

index=_internal sourcetype=splunkd_ui_access
| stats count by method 
| sort count 
| streamstats count as "AA" 
| eval method=AA.".".method 
| fields - AA 
| eval {method}=count 
| filldown 
| tail 1 
| fields - method,count

As we know Splunk by default sort the split-by field. So what we can do, at first sort the “count” field as per your requirement then according to that sorting append 1,2,3,…… with the split by field values. After that bring all “method” field values in the X-axis that mean all the values will be now transferred to different columns and you will get corresponding “count” for the particular method values. Here we have used flower bracket ( {} ) with eval command. To know more about the usage of  flower bracket you can follow our other blogs as well.

HOW TO RENAME FIELD(COLUMN) NAMES DYNAMICALLY IN SPLUNK
DONUT – CUSTOM VISUALIZATION

That’s it your requirement is completed I guess, let’s take a look then.

4
And hold on take a look into the visualization now….

5

NOTE: When you will have more than 10 values in split-by field then 
we may need to replace 1,2,....upto 9 values in ‘AA’ field 
with 01,02,.....09 respectively. 

Now there is also one disadvantage in this approach i.e. we need to append 1,2,3….. Sometimes this can be undesirable. So what’s next? Is there any other way to do it? Yes we have.
We have a different query this time, by using that it can be visualized effectively.

Solution 2:

index=_internal sourcetype=splunkd_ui_access
| stats count by file 
| sort - count 
| streamstats count as "AA" 
| eval file = printf("%*s", len(file) + AA, file) 
| stats values(count) as MethodCount by file

This time instead of appending numbers we are appending space.and the result will look like this.

6
And hold on take a look into the visualization now….

7
Hope you all have enjoyed this blog. We have described two different process as per your requirement you can implement any of these two mentioned processes.

Happy Splunking!!

What’s your Reaction?
+1
+1
+1
1
+1
+1
+1
+1

Spread our blog

3 COMMENTS

  1. Thank you so much for this great information. I would like ask if you could share the query which can display the time it takes to execute for both saved and Real time searches.

    Also please share the instructions if you could about how to limiting users to run the real time or scheduled searches on a given day.

    Thank you!

    Your explanation is awesome and very well articulated

  2. hello! i would really appreciate the same query-fu that can show trends too. what i found so far is that i need to use timechart instead of stats, and i could use trellis layout for that, but the sorting gets messy this way.

    thank you

LEAVE A REPLY

Please enter your comment!
Please enter your name here