Hi,
I have an input table with 3 inputs: id, name, and date. I'm attempting to chart the count of id's by name over time.
I'm currently using the following command:
chart count(id) over time by name
This gives me the exact formatting I'm looking for, but I'm running into an issue where all but the 10 names with the highest count get lumped together in a new column called OTHER that seems to be generated by Splunk.
How can I prevent this from happening and ensure Splunk displays all of the names, not just the top 10?
It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart
command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.
Also make sure you're aware that count(id)
is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id)
.
Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother
argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.
So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100
in the following.
chart count(id) over time by name limit=100
or using timechart,
timechart count(id) by name limit=100
If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃
It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart
command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.
Also make sure you're aware that count(id)
is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id)
.
Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother
argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.
So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100
in the following.
chart count(id) over time by name limit=100
or using timechart,
timechart count(id) by name limit=100
If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃