Splunk Search

Changes in timechart useother functionality in 4.2?

kevintelford
Path Finder

We used to have a dashboard driven by a simple query that would show a value per hour for all of our index servers.

* | timechart span=1h count by splunk_server useother=f

Before we upgraded to 4.2 this would work as we had come to expect it, but now it only shows the top 10 servers. If we drop useother=f it will then show an "other" column along with the top 10, but we want all splunk_server values. Is there a new way to do this?

Thanks, Kevin

0 Karma
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

I'm pretty sure that's how it has always behaved. To get more series, you need to use the limit argument like:

* | timechart span=1h count by splunk_server limit=100

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

I'm pretty sure that's how it has always behaved. To get more series, you need to use the limit argument like:

* | timechart span=1h count by splunk_server limit=100

kevintelford
Path Finder

Thank you Stephen 🙂 useother=f used to work, just not sure if it was intended to do what I wanted. Either way, limit=100 works perfectly, thank you sir.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...