Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

chart over refuses to show OTHER group

yuanliu
SplunkTrust
SplunkTrust
‎08-08-2017 02:10 PM

Many people asked about how to suppress OTHER group from charts. But I have the opposite problem: When I use chart blah over foo by bar, legends include an "OTHER" group but the chart does not show it. This results in seriously skewed charts. For example, when I do not specify limit (default 10), I get three blank bands out of 6. (Only one blank expected.); if I do limit=20, I get two blank bands. Now if I do limit=30, five bands have non-zero values, but they are not correct judging by setting limit=40 and limit=0. Now I can't even trust limit=0 because OTHER group still exist. How can I force OTHER to display?

alt text
alt text

Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-09-2017 04:44 AM

The chart command has a useother argument that you can try setting as useother=t.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-09-2017 02:39 AM

I tried to reproduce that using this search:

index=_internal sourcetype=splunkd_access | chart count over file by bytes

However, I get a chart with all columns containing something, lots with OTHER.

What version are you on?
Can you reproduce your issue using splunk-internal data to run anywhere?

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:10 PM

Version is 6.6.2. I tried several combinations with index=_internal but they are all able to show OTHER on chart. (Which is what I have always expected unless I specify useother=false).

But this inspired me to examine the stats in more detail, and discover that OTHER group alone contains multivalue entries! Because my input is single value, I was foolish to believe that values() is as good as any other function, not realising that OTHER would wreck havoc. Many thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...