When running reports there are times when a field of OTHER is returned.
What defines a result to be returned to OTHER?
Can the properties that cause a result to be sent to this field be modified? If so what files control these properties?
The OTHER
field represents groupings that are not in the top N most prevalent groups. For example, if you run a search like:
search ... | timechart count by host
the max number of host
fields that would be returned by timechart
is 10. If you have 25 distinct host
s in your dataset, then the 15 least populous host
s would be coalesced into OTHER
.
There are 2 ways to deal with this:
Disable the use of OTHER
by adding a useother=f
parameter:
search ... | timechart count by host useother=f
This will generate a field for every host
found in the dataset.
Increase the threshold for OTHER
grouping:
search ... | timechart count by host where count in top50
This will generate a field for every host
, up to 50. If there are more than 50, those excess will then be grouped into OTHER
.
There is a similar grouping call NULL
, which can be disabled by using the usenull=f
option. These parameters are available on both the timechart
and chart
command. For more information, see the search reference on timechart.
The OTHER
field represents groupings that are not in the top N most prevalent groups. For example, if you run a search like:
search ... | timechart count by host
the max number of host
fields that would be returned by timechart
is 10. If you have 25 distinct host
s in your dataset, then the 15 least populous host
s would be coalesced into OTHER
.
There are 2 ways to deal with this:
Disable the use of OTHER
by adding a useother=f
parameter:
search ... | timechart count by host useother=f
This will generate a field for every host
found in the dataset.
Increase the threshold for OTHER
grouping:
search ... | timechart count by host where count in top50
This will generate a field for every host
, up to 50. If there are more than 50, those excess will then be grouped into OTHER
.
There is a similar grouping call NULL
, which can be disabled by using the usenull=f
option. These parameters are available on both the timechart
and chart
command. For more information, see the search reference on timechart.
The OTHER
field is just a place-holder name used by timechart
or bucket
search commands (and possibly others). By default these grouping commands limit the number of values they group by because there is only so much room to display them on a chart. (If you use stats
for example, you will not get an "OTHER" field, because stats
is generally used for build tables and not visually displayed charts.) Generally "OTHER" this is this is just a combination of the most uninteresting series.
The number of series shown on a chart defaults to either 10 or 15 (don't remember off the top of my head). So if your search has a ... | timechart ....
in the search, if you change it to .. | timechart limit=30 ....
then you should see more actual grouping values. If you still see OTHER then you have more than 30 distinct values.