- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Add specific fields into the timechart OTHER categ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm generating a report of the daily usage of my users indexes over the past week using this search:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
This works well, except the "_fishbucket" shows as one of the values charted.
I would like to combine"_fishbucket" and a few other fields into the "OTHER" category, but the only methods I can think of appear to drop them completely from the report.
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:
eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.
There's the code from before with the addition:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
| eval series=if(series == "_fishbucket", "OTHER", series)
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
(I could have combined the two "eval series=..." pieces but I left them separate for readability.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:
eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.
There's the code from before with the addition:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
| eval series=if(series == "_fishbucket", "OTHER", series)
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
(I could have combined the two "eval series=..." pieces but I left them separate for readability.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amazing, this worked perfectly for me when my data set already had an "Other" field too i was able to also use the otherstr="" option to time chart to merge my Other series with OTHER
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
