Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent chart command from only displaying top 10 count results and lumping everything else into OTHER?

mrfredman
Path Finder
‎02-19-2015 02:10 PM

Hi,

I have an input table with 3 inputs: id, name, and date. I'm attempting to chart the count of id's by name over time.

I'm currently using the following command:

chart count(id) over time by name

This gives me the exact formatting I'm looking for, but I'm running into an issue where all but the 10 names with the highest count get lumped together in a new column called OTHER that seems to be generated by Splunk.

How can I prevent this from happening and ensure Splunk displays all of the names, not just the top 10?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-19-2015 02:25 PM

It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.

Also make sure you're aware that count(id) is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id).

Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.

So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100 in the following. 

chart count(id) over time by name limit=100

or using timechart, 

timechart count(id) by name limit=100

If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-19-2015 02:25 PM

It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.

Also make sure you're aware that count(id) is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id).

Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.

So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100 in the following. 

chart count(id) over time by name limit=100

or using timechart, 

timechart count(id) by name limit=100

If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...