- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rename "other" in result set
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rename "other" in result set
When making a graph, I get my result set, limited to the number of results I wish to see. The remaining results are combined in an "other" value.
This is all correct, BUT I wish to rename this "other"- value, since all my "regular" values are listed in another language.
How can this be done?
(I have been able to use "eval" to change my "regular" values, but this doesn't seem to work for the "other"-value.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't get the replace verb to work, but there's a timechart-specific command. Run anywhere example -
source=unix_hosts
| timechart count by splunk_server otherstr="NewValue"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using PieChart: You can edit your source and add this property-
charting.chart.sliceCollapsingLabel = "ProvideName"
by default it is: Other
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add this to the end of your search:
| rename OTHER AS YourOtherNameHere
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't seem to work.
This Other value isn't a column name.
It's a value inside a column.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, maybe something in the spirit of - | rex field=basavalue mode=sed "s/Other/NewValue/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
your base search | timechart usenull=fasle useother=false limit=0 count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slight correction in the syntax. However, if OTHER field is being introduced through timechart or chart command you can use following three to control number of fields returned and whether to usenull and useother or not limit, usenull and useother.
| timechart usenull=f useother=f limit=10 count
By default the limit is 10 and setting the same to 0 will show all fields generated due to aggregation.
usenull is by default true (or t) which you can set to either false or f. Similarly for useother.
You might have to share your query if you are not using timechart or chart command.
| makeresults | eval message= "Happy Splunking!!!"
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
