Splunk Search

Add specific fields into the timechart OTHER category.

dglinder
Path Finder

I'm generating a report of the daily usage of my users indexes over the past week using this search:

earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput 
| eval GB=kb/(1024*1024) 
| bucket _time span=1d 
| convert ctime(_time) as timestamp 
| timechart span=1d sum(GB) by series

This works well, except the "_fishbucket" shows as one of the values charted.

I would like to combine"_fishbucket" and a few other fields into the "OTHER" category, but the only methods I can think of appear to drop them completely from the report.

Any suggestions?

Tags (3)
1 Solution

dglinder
Path Finder

For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:

eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)

This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.

There's the code from before with the addition:

earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput 
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series) 
| eval series=if(series == "_fishbucket", "OTHER", series) 
| eval GB=kb/(1024*1024) 
| bucket _time span=1d 
| convert ctime(_time) as timestamp 
| timechart span=1d sum(GB) by series

(I could have combined the two "eval series=..." pieces but I left them separate for readability.)

View solution in original post

dglinder
Path Finder

For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:

eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)

This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.

There's the code from before with the addition:

earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput 
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series) 
| eval series=if(series == "_fishbucket", "OTHER", series) 
| eval GB=kb/(1024*1024) 
| bucket _time span=1d 
| convert ctime(_time) as timestamp 
| timechart span=1d sum(GB) by series

(I could have combined the two "eval series=..." pieces but I left them separate for readability.)

anthonysomerset
Path Finder

amazing, this worked perfectly for me when my data set already had an "Other" field too i was able to also use the otherstr="" option to time chart to merge my Other series with OTHER

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...