Why OTHER is shown even though it is not present in log files.

tkadale — Thu, 21 Apr 2011 06:10:24 GMT

I am showing a time chart filtered by host. There is no host named OTHER. but on actual graph OTHER appears as one of the host. It is shown only on some graphs, not all. I want to remove that OTHER from the graph. Is there any solution for that??

Re: Why OTHER is shown even though it is not present in log files.

sideview — Thu, 21 Apr 2011 06:37:13 GMT

When you're using the chart or timechart commands, and you have a 'split by' clause in them, ie you have a 'by host' on the end, by default they only show the top 9 values in the split, and all the others get rolled up into a value it creates called 'OTHER'.

If you want to raise that number from 10 for example, you can do:

<your search> | timechart count by host limit=20

and if you want to show the top 50 or something, and NOT include any 'OTHER' field, you can do:

<your search> | timechart count by host limit=50 useother=f

However beware that useother=f does not undo the limit at all; it purely controls whether the 'OTHER' should be displayed or not. Since it can be very misleading to omit it, I generally bump the number up to 50 or 75 but let it display.

http://www.splunk.com/base/Documentation/latest/SearchReference/Timechart

NOTE: in older splunk versions there was no "limit=N" syntax and you had to use clunkier syntax of "timechart count by host where sum in top50".

topic Why OTHER is shown even though it is not present in log files. in Splunk Search

Why OTHER is shown even though it is not present in log files.

Re: Why OTHER is shown even though it is not present in log files.