Splunk Search

Rename "other" in result set

M__rt_n
New Member

When making a graph, I get my result set, limited to the number of results I wish to see. The remaining results are combined in an "other" value.
This is all correct, BUT I wish to rename this "other"- value, since all my "regular" values are listed in another language.
How can this be done?
(I have been able to use "eval" to change my "regular" values, but this doesn't seem to work for the "other"-value.)

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I can't get the replace verb to work, but there's a timechart-specific command. Run anywhere example -

source=unix_hosts 
| timechart count by splunk_server  otherstr="NewValue"

dnyanesh7
Engager

If you are using PieChart: You can edit your source and add this property-

charting.chart.sliceCollapsingLabel = "ProvideName"

by default it is: Other

0 Karma

woodcock
Esteemed Legend

Just add this to the end of your search:

| rename OTHER AS YourOtherNameHere
0 Karma

M__rt_n
New Member

This doesn't seem to work.
This Other value isn't a column name.
It's a value inside a column.

0 Karma

ddrillic
Ultra Champion

So, maybe something in the spirit of - | rex field=basavalue mode=sed "s/Other/NewValue/g"

0 Karma

sbbadri
Motivator

try this

your base search | timechart usenull=fasle useother=false limit=0 count

niketn
Legend

Slight correction in the syntax. However, if OTHER field is being introduced through timechart or chart command you can use following three to control number of fields returned and whether to usenull and useother or not limit, usenull and useother.

 | timechart usenull=f useother=f limit=10 count

By default the limit is 10 and setting the same to 0 will show all fields generated due to aggregation.
usenull is by default true (or t) which you can set to either false or f. Similarly for useother.
You might have to share your query if you are not using timechart or chart command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...