Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Drilldown on OTHER field

Ant1D
Motivator
‎02-25-2011 05:18 PM

Hey,

There is a field named OTHER which tends to appear at times in my search results. However, if I drilldown on this field (e.g. Click on a chart cell representing this OTHER field) the flashtimeline view will display no results.

Is there a way to get results to be displayed for the OTHER field? (This would enable me to see what data is going under this field and why).

I know that I can stop this field from appear via | fields - OTHER but sometimes this field has a fairly significant count in search results so I don't want to disregard this field.

Thanks in advance for your help.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-26-2011 06:13 PM

Well the most basic way is to throw a limit=50 into your timechart or chart. That makes it display up to 50 (or whatever) before it starts lumping everybody into OTHER.

eg

 <your search> | timechart avg(session_length) by user limit=50

or

 <your search> | chart dc(users) by clientip limit=50

It doesnt make the 'OTHER' go away entirely but when the top 10 items leaves a significant slice of "OTHER" in the chart, often the top 50 will leave a much smaller slice and it becomes a much lower usability problem. The legend kind of goes off into space and you cant use it, but the user can mouseover the individual blocks or lines on the chart and see them still...

To david's point, sideview_utils makes a ton of stuff way easier, but this is more a search-language thing and it's best solved with search-language solutions.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-26-2011 06:13 PM

Well the most basic way is to throw a limit=50 into your timechart or chart. That makes it display up to 50 (or whatever) before it starts lumping everybody into OTHER.

eg

 <your search> | timechart avg(session_length) by user limit=50

or

 <your search> | chart dc(users) by clientip limit=50

It doesnt make the 'OTHER' go away entirely but when the top 10 items leaves a significant slice of "OTHER" in the chart, often the top 50 will leave a much smaller slice and it becomes a much lower usability problem. The legend kind of goes off into space and you cant use it, but the user can mouseover the individual blocks or lines on the chart and see them still...

To david's point, sideview_utils makes a ton of stuff way easier, but this is more a search-language thing and it's best solved with search-language solutions.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 02:36 AM

NP. There are things you can do with a little bit of JS in application.js, and I might roll something into application.js, but it's a bit nutty. Think "field!=value1 field!=value2 field!=value3...." kind of a pain in the ass but it wouldnt be too hard for me to roll it generically into a patch to the tables and charts and apply the patch from sideview_utils...

0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎03-02-2011 10:03 AM

Thanks for the info Nick

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎02-25-2011 06:31 PM

This may be something you can do with sideview_utils, and specifically the ValueSetter module. That will require you to delve into Advanced XML (and beyond that, to the sideview modules), so it might be more hassle than it's worth, but it could be something to consider.

You might also be able to get away with by doing your search as a subsearch, with a NOT. Not sure how it'd play out, but maybe it could get you what you want (albeit with another link / table / etc.)

0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎02-28-2011 11:09 AM

Thanks for the info David

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...