Splunk Search

How to prevent chart command from only displaying top 10 count results and lumping everything else into OTHER?

mrfredman
Path Finder

Hi,

I have an input table with 3 inputs: id, name, and date. I'm attempting to chart the count of id's by name over time.

I'm currently using the following command:

chart count(id) over time by name

This gives me the exact formatting I'm looking for, but I'm running into an issue where all but the 10 names with the highest count get lumped together in a new column called OTHER that seems to be generated by Splunk.

How can I prevent this from happening and ensure Splunk displays all of the names, not just the top 10?

Tags (1)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.

Also make sure you're aware that count(id) is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id).

Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.

So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100 in the following.

chart count(id) over time by name limit=100 

or using timechart,

timechart count(id) by name limit=100 

If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃

View solution in original post

sideview
SplunkTrust
SplunkTrust

It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.

Also make sure you're aware that count(id) is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id).

Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.

So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100 in the following.

chart count(id) over time by name limit=100 

or using timechart,

timechart count(id) by name limit=100 

If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk Life | Splunk is Officially Part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint. Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...