Splunk Search

Where do I put the "useother" argument in my search?

a212830
Champion

Hi,

I have a search (Below) that I want to run to show me license details by date, sourcetype, and host. Unfortunately, it's only giving me the top 10 hosts. How can I list them all?

index=_internal source=*license_usage.log type="Usage" idx=ngcc* pool=auto* | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx  | search pool="auto_generated_pool_enterprise" | timechart span=1d sum(b) AS volumeB by h fixedrange=false  | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d  | search pool="auto_generated_pool_enterprise" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS  "pool size" by _time] | fields - _timediff  | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
0 Karma

sundareshr
Legend

Sounds like you need limit=0 and not userother. By default, timechart will only show 10 columns and group everything else in the "OTHER" group. Hence the useother, if set to false, will hide the "OTHER" group. To show more than 10, you should use limit=x where 0 means unlimited. So in you make the following change

... | timechart limit=0 span=1d sum(b) AS volumeB by h | ...

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/timechart

MuS
SplunkTrust
SplunkTrust

Hi a212830,

since useother is a option for timechart http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Timechart use it there:

 ... | timechart span=1d sum(b) AS volumeB by h useother=f fixedrange=false |...

Hope this helps ...

cheers, MuS

0 Karma

a212830
Champion

Thanks. My results are still only returning 10 hosts. What am I missing?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...