Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

chart over refuses to show OTHER group

yuanliu
SplunkTrust
SplunkTrust
‎08-08-2017 02:10 PM

Many people asked about how to suppress OTHER group from charts. But I have the opposite problem: When I use chart blah over foo by bar, legends include an "OTHER" group but the chart does not show it. This results in seriously skewed charts. For example, when I do not specify limit (default 10), I get three blank bands out of 6. (Only one blank expected.); if I do limit=20, I get two blank bands. Now if I do limit=30, five bands have non-zero values, but they are not correct judging by setting limit=40 and limit=0. Now I can't even trust limit=0 because OTHER group still exist. How can I force OTHER to display?

alt text
alt text

Preview file
20 KB
Preview file
20 KB
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-09-2017 04:44 AM

The chart command has a useother argument that you can try setting as useother=t.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-09-2017 02:39 AM

I tried to reproduce that using this search:

index=_internal sourcetype=splunkd_access | chart count over file by bytes

However, I get a chart with all columns containing something, lots with OTHER.

What version are you on?
Can you reproduce your issue using splunk-internal data to run anywhere?

alt text

Preview file
41 KB
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:10 PM

Version is 6.6.2. I tried several combinations with index=_internal but they are all able to show OTHER on chart. (Which is what I have always expected unless I specify useother=false).

But this inspired me to examine the stats in more detail, and discover that OTHER group alone contains multivalue entries! Because my input is single value, I was foolish to believe that values() is as good as any other function, not realising that OTHER would wreck havoc. Many thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...