Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

chart over refuses to show OTHER group

yuanliu
SplunkTrust
SplunkTrust
‎08-08-2017 02:10 PM

Many people asked about how to suppress OTHER group from charts. But I have the opposite problem: When I use chart blah over foo by bar, legends include an "OTHER" group but the chart does not show it. This results in seriously skewed charts. For example, when I do not specify limit (default 10), I get three blank bands out of 6. (Only one blank expected.); if I do limit=20, I get two blank bands. Now if I do limit=30, five bands have non-zero values, but they are not correct judging by setting limit=40 and limit=0. Now I can't even trust limit=0 because OTHER group still exist. How can I force OTHER to display?

alt text
alt text

Preview file
20 KB
Preview file
20 KB
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-09-2017 04:44 AM

The chart command has a useother argument that you can try setting as useother=t.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-09-2017 02:39 AM

I tried to reproduce that using this search:

index=_internal sourcetype=splunkd_access | chart count over file by bytes

However, I get a chart with all columns containing something, lots with OTHER.

What version are you on?
Can you reproduce your issue using splunk-internal data to run anywhere?

alt text

Preview file
41 KB
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:10 PM

Version is 6.6.2. I tried several combinations with index=_internal but they are all able to show OTHER on chart. (Which is what I have always expected unless I specify useother=false).

But this inspired me to examine the stats in more detail, and discover that OTHER group alone contains multivalue entries! Because my input is single value, I was foolish to believe that values() is as good as any other function, not realising that OTHER would wreck havoc. Many thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...