I'm generating a report of the daily usage of my users indexes over the past week using this search:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
This works well, except the "_fishbucket" shows as one of the values charted.
I would like to combine"_fishbucket" and a few other fields into the "OTHER" category, but the only methods I can think of appear to drop them completely from the report.
Any suggestions?
For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:
eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.
There's the code from before with the addition:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
| eval series=if(series == "_fishbucket", "OTHER", series)
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
(I could have combined the two "eval series=..." pieces but I left them separate for readability.)
For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:
eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.
There's the code from before with the addition:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
| eval series=if(series == "_fishbucket", "OTHER", series)
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
(I could have combined the two "eval series=..." pieces but I left them separate for readability.)
amazing, this worked perfectly for me when my data set already had an "Other" field too i was able to also use the otherstr="" option to time chart to merge my Other series with OTHER