Dashboards & Visualizations

How to hide "OTHER" job in Timechart

aditsss
Motivator

Hi Everyone,

I have created one Query:

index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|join type=outer JOBFLOW_ID [ inputlookup JOB_MDJX_CS_MASTER_E3.csv ]|eval fields=split(_raw,",")|eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime limit=10

The issue I am facing is I am getting jobs Trend but I am getting one more line as Other.

How we can hide that OTHER. Attached is the screenshot for the same.

Can someone please guide me.

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|join type=outer JOBFLOW_ID [ inputlookup JOB_MDJX_CS_MASTER_E3.csv ]|eval fields=split(_raw,",")|eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart useother=f sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime limit=10

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try the useother=f option on the timechart command

0 Karma

aditsss
Motivator

@ITWhisperer 

Can you tell me how to use that option in my query.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

 

index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"
| join type=outer JOBFLOW_ID 
  [ | inputlookup JOB_MDJX_CS_MASTER_E3.csv ]
| eval fields=split(_raw,",")
| eval Environment=mvindex(fields,11)
| eval JOBFLOW_ID=mvindex(fields,0) 
| eval JOB_EXEC_TIME=mvindex(fields,8)
| eval RunDate=mvindex(fields,3)
| where Environment="E3"
| where JOBFLOW_ID LIKE "%%"
| eval RunDate="20".mvindex(fields,3)
| fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")
| timechart useother=f sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID 
``` If you want to see all values instead of some then use the below ```
```| timechart limit=0 sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID ```
| eval TotalExecTime=round(TotalExecTime,2)
| sort -TotalExecTime limit=10

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=abc source="/splunkLogs/JOB_MDJX_CS_STATS_PLATINUM.csv"|join type=outer JOBFLOW_ID [ inputlookup JOB_MDJX_CS_MASTER_E3.csv ]|eval fields=split(_raw,",")|eval Environment=mvindex(fields,11)|eval JOBFLOW_ID=mvindex(fields,0) |eval JOB_EXEC_TIME=mvindex(fields,8)|eval RunDate=mvindex(fields,3)|where Environment="E3"|where JOBFLOW_ID LIKE "%%"|eval RunDate="20".mvindex(fields,3)|fieldformat Run_Date=strftime(Run_Date,"%d/%b/%Y")|timechart useother=f sum(JOB_EXEC_TIME) as TotalExecTime by JOBFLOW_ID |eval TotalExecTime=round(TotalExecTime,2)|sort -TotalExecTime limit=10
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...