I'm fairly new to Splunk, and I'm using my Minecraft server logs to chart some data. I am having a hard time charting rare values. Here is the search I'm trying:
| rare blocktype
| chart count(blocktype) over player by blocktype useother=f
This does not work. I know I'm doing this incorrectly, but I'm not sure how, exactly. Any tips would be greatly appreciated!
after rare command you have only three fields: block_type, count and percent; so you don't have field "player" more.
You should use a different approach, something like
| chart count(block_type) over player by block_type useother=f
This won't return the rare values, though, which is what I need. I am already using that search to return the top values.