topic Re: Addtotals does not include 'Other' in Splunk Search

Addtotals does not include 'Other'

jvamplew — Tue, 09 Jul 2024 09:14:27 GMT

When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals.

Example:

| timechart span=1s avg(host_usage) by host useother=true | addtotals

The below gives me a lower overall total than the above:

| timechart span=1s avg(host_usage) by host limit=5 useother=true | addtotals

I thought Other was supposed to be the total of all other values not explicitly displayed?

Re: Addtotals does not include 'Other'

gcusello — Tue, 09 Jul 2024 11:10:36 GMT

Hi @jvamplew,

if you use limit=5, you'll have 5 results, so you don't need to use useother.

In this way addtotals summarize only the results of the search, in other words, only the first 5 values.

Ciao.

Giuseppe

Re: Addtotals does not include 'Other'

jvamplew — Tue, 09 Jul 2024 12:07:35 GMT

Thanks Giuseppe.

Unfortunately that is the problem, I actually have 30 values. I want to display the total for all, but don't necessarily want to chart them all, as this many series over a number of charts tends to slow down the dashboard. I was hoping that by using Other, it would sum the other values into that column, thereby allowing me to display an accurate total while not displaying all the values.

Is there a way to do this? I'm thinking it may only work by appending a subsearch for the total and overlaying it on the original chart, but I was trying to avoid adding another search for every panel that displays this data.

Re: Addtotals does not include 'Other'

gcusello — Tue, 09 Jul 2024 12:49:58 GMT

Hi @jvamplew ,

I'm not sure, but it should run:

<your_search> | bin span=1s -time | stats avg(host_usage) by host useother=true | addtotals | timechart span=1s avg(host_usage) by host limit=7 useother=true

Ciao.

Giuseppe

Re: Addtotals does not include 'Other'

yuanliu — Wed, 10 Jul 2024 04:27:50 GMT

You will need to carefully calibrate your result before drawing conclusions. In other words, compare apples to apples. Try this exercise: run the following two within the same calendar hour. First

<somesearch> earliest=-1h@h latest=-0h@h | timechart span=1s avg(host_usage) by host useother=true | addtotals | table _time Total *

Then this

<somesearch> earliest=-1h@h latest=-0h@h | timechart span=1s avg(host_usage) by host useother=true limit=5 | addtotals | table _time Total *

What the earliest and latest do in this exercise is to eliminate any bucket error. (I am curious what use case could warrant timechart with span 1s.) The table command is so you can easily compare Total in each row.

When I test this method, Total does not change when I set limit. Here is the test set:

index=_audit earliest=-1d@d latest=-0d@d | timechart span=4h count by action useother=true | addtotals | table _time Total *

_time	Total	add	delete	expired_session_token	login_attempt	quota	read_session_token	search	update	validate_token
2024-07-07 21:00	1592	0	0	14	0	1	787	3	0	787
2024-07-08 01:00	453	0	0	13	1	8	199	33	0	199
2024-07-08 05:00	212	0	0	3	1	8	95	10	0	95
2024-07-08 09:00	1965	0	0	9	2	8	964	14	4	964
2024-07-08 13:00	6508	0	0	22	2	10	3216	34	7	3217
2024-07-08 17:00	7059	1	1	0	0	0	3519	16	3	3519
2024-07-08 21:00	4966	0	0	0	0	0	2478	10	0	2478

index=_audit earliest=-1d@d latest=-0d@d | timechart span=4h count by action useother=true limit=3 | addtotals | table _time Total *

_time	Total	OTHER	read_session_token	search	validate_token
2024-07-07 21:00	1592	15	787	3	787
2024-07-08 01:00	453	22	199	33	199
2024-07-08 05:00	212	12	95	10	95
2024-07-08 09:00	1965	23	964	14	964
2024-07-08 13:00	6508	41	3216	34	3217
2024-07-08 17:00	7059	5	3519	16	3519
2024-07-08 21:00	4966	0	2478	10	2478

As you can see, the Total column in the two output are exactly identical.

Suggestion: If your event density is extremely high (given that you are using 1s time bucket), you can use snap-to anchor ("@", see Specify a snap to time unit) to avoid indeterministic time bucket

<somesearch> | timechart span=1s@s avg(host_usage) by host useother=true | addtotals

<somesearch> | timechart span=1s@s avg(host_usage) by host useother=true limit=5 | addtotals