Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what is the limit to the number of categories that can be in a legend in splunk timechart

HattrickNZ
Motivator
‎04-07-2015 08:25 PM

I have a timechart search that looks something like:

... | timechart  span=15m max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category | eval threshold=1

Some Observations/Questions:
But there is 14 categories to show and it only shows 10, and puts the remaining categories into Other. So that's 11 categories in total showing.
The legend seems to show the categories in alphabetical order. Can I order this by size or something else other that alphabetically?
Can I name Other to something else?
I can add another category to the legend using the eval threshold=1 and this seems to appear in the legend. So there is a limit there of sorts, but not completely it seems

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chimell
Motivator
‎04-08-2015 12:36 AM

Hi HattrickNZ
use limit=0 like below

  ... | timechart span=15m  max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category   limit=0 | eval threshold=1

View solution in original post

Reply
Solved! Jump to solution

fdi01
Motivator
‎04-08-2015 03:10 AM

try like this: .. | timechart span=15m useother=f limit=0 max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category |...

to see the "Other" category
and for more information on timechart command see this link: docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/timechart

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-08-2015 02:26 AM

Hi HattrickNZ ,
There is no limit for the number of categories that can be in legend in splunk timechart .
If you have 14 categories to show and it only shows 10, It is simply because splunk consider the value or the amount of the other categoties to be insignificant.
So splunk do not see an interest to put then in the legend But splunk gather all that values in one categories call other

Note that you can decide to display all your legend values( see what Chimell proposed).

Reply
Solved! Jump to solution
Solution

chimell
Motivator
‎04-08-2015 12:36 AM

Hi HattrickNZ
use limit=0 like below

  ... | timechart span=15m  max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category   limit=0 | eval threshold=1
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-08-2015 01:43 AM

Alternatively, you can add useother=f if you don't want to see the "Other" category.

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-12-2015 04:04 PM

tks but useother=f will remvoe it completely from the legend and this is not what i want in this instance but good to know.

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-12-2015 04:05 PM

limit=0 works by not grouping the remaining categories into Other.

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-07-2015 09:40 PM

You may also find the docs on timechart useful.

in particular otherstr can be used to rename Other.

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-07-2015 08:25 PM

found this re the limit question

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...