Solved: Additional field in search results

strive · ‎11-29-2012

Hi,

A field OTHER is getting displayed in search results.

My Log is:

FieldA FieldB FieldC event
123    123    234    A
123    123    234    A
123    123    234    B
123    123    234    C
123    123    234    A
123    123    234    A
123    123    234    D
123    123    234    A
123    123    234    E
...    ...    ...    .
...    ...    ...    .
...    ...    ...    .
...    ...    ...    .
...    ...    ...    .
...    ...    ...    .
123    123    234    Z

I have a scheduled search. The search results are populated in default summary index.

The scheduled search is:

index="ABC" sourcetype="abc" | bucket _time span=1d | stats count AS Count by event | rename event AS Event

When I execute a macro search on the summary index to display chart, the count is displayed only for few events (say 10 events, A to J), remaining events are not displayed. Instead a new event OTHER is displayed.

My macro search is :

index="summary" | timechart partial=false span=1d sum(Count) AS Count by Event

I assume, splunk is displaying only top 10 events, remaining events are clubbed and put under OTHER. Is my assumption right?

If my assumption is right, is there a way to restrict splunk not to club the events under OTHER.

Thanks

Strive

Ayn · ‎11-29-2012

From the timechart docs page (http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Timechart 😞

 useother
    Syntax: useother=<bool> 
    Description: Specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the <where-clause>. Defaults to True|T. 

otherstr
    Syntax: otherstr=<string> 
    Description: If useother is true, this series is labeled by the value of the otherstr option. Defaults to OTHER.

View solution in original post

lguinn2 · ‎11-29-2012

A few comments: first, if this search is populating a summary index, I would recommend

index="ABC" sourcetype="abc" 
| sitimechart partial=false span=1d count by event

for the populating search. First, you are not making use of _time, so no need to bucket it here. Second, you should put the data into the summary index in the same way that you intend to use it later - but using the "si" version of the command. Here, that would be sitimechart instead of timechart.

When you retrieve the summary results, do this (assuming the name of the above search is abc_summary)

index=summary search_name=abc_summary 
| timechart partial=false span=1d count by event
| rename count as Count event as Event

Finally - to your question. If there are more that 10 values for event, Splunk shows only the top 10, and combines all the rest into "Other." If you don't want that, then set useother=f as follows:

index=summary search_name=abc_summary 
| timechart partial=false span=1d useother=f count by event
| rename count as Count event as Event

HTH

strive · ‎11-29-2012

Thank you. It worked.

Ayn · ‎11-29-2012

From the timechart docs page (http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Timechart 😞

 useother
    Syntax: useother=<bool> 
    Description: Specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the <where-clause>. Defaults to True|T. 

otherstr
    Syntax: otherstr=<string> 
    Description: If useother is true, this series is labeled by the value of the otherstr option. Defaults to OTHER.

strive · ‎11-29-2012

Thank you. It helped to find out the issue.

Additional field in search results

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms