Dashboards & Visualizations

chart over refuses to show OTHER group

yuanliu
SplunkTrust
SplunkTrust

Many people asked about how to suppress OTHER group from charts. But I have the opposite problem: When I use chart blah over foo by bar, legends include an "OTHER" group but the chart does not show it. This results in seriously skewed charts. For example, when I do not specify limit (default 10), I get three blank bands out of 6. (Only one blank expected.); if I do limit=20, I get two blank bands. Now if I do limit=30, five bands have non-zero values, but they are not correct judging by setting limit=40 and limit=0. Now I can't even trust limit=0 because OTHER group still exist. How can I force OTHER to display?

alt text
alt text

1 Solution

yuanliu
SplunkTrust
SplunkTrust

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

woodcock
Esteemed Legend

The chart command has a useother argument that you can try setting as useother=t.

martin_mueller
SplunkTrust
SplunkTrust

I tried to reproduce that using this search:

index=_internal sourcetype=splunkd_access | chart count over file by bytes

However, I get a chart with all columns containing something, lots with OTHER.

What version are you on?
Can you reproduce your issue using splunk-internal data to run anywhere?

alt text

yuanliu
SplunkTrust
SplunkTrust

Version is 6.6.2. I tried several combinations with index=_internal but they are all able to show OTHER on chart. (Which is what I have always expected unless I specify useother=false).

But this inspired me to examine the stats in more detail, and discover that OTHER group alone contains multivalue entries! Because my input is single value, I was foolish to believe that values() is as good as any other function, not realising that OTHER would wreck havoc. Many thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...