When making a graph, I get my result set, limited to the number of results I wish to see. The remaining results are combined in an "other" value.
This is all correct, BUT I wish to rename this "other"- value, since all my "regular" values are listed in another language.
How can this be done?
(I have been able to use "eval" to change my "regular" values, but this doesn't seem to work for the "other"-value.)
I can't get the replace
verb to work, but there's a timechart
-specific command. Run anywhere example -
source=unix_hosts
| timechart count by splunk_server otherstr="NewValue"
If you are using PieChart: You can edit your source and add this property-
charting.chart.sliceCollapsingLabel = "ProvideName"
by default it is: Other
Just add this to the end of your search:
| rename OTHER AS YourOtherNameHere
This doesn't seem to work.
This Other value isn't a column name.
It's a value inside a column.
So, maybe something in the spirit of - | rex field=basavalue mode=sed "s/Other/NewValue/g"
try this
your base search | timechart usenull=fasle useother=false limit=0 count
Slight correction in the syntax. However, if OTHER field is being introduced through timechart or chart command you can use following three to control number of fields returned and whether to usenull and useother or not limit, usenull and useother.
| timechart usenull=f useother=f limit=10 count
By default the limit is 10 and setting the same to 0 will show all fields generated due to aggregation.
usenull is by default true (or t) which you can set to either false or f. Similarly for useother.
You might have to share your query if you are not using timechart or chart command.