Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

chart over refuses to show OTHER group

yuanliu
SplunkTrust
SplunkTrust
‎08-08-2017 02:10 PM

Many people asked about how to suppress OTHER group from charts. But I have the opposite problem: When I use chart blah over foo by bar, legends include an "OTHER" group but the chart does not show it. This results in seriously skewed charts. For example, when I do not specify limit (default 10), I get three blank bands out of 6. (Only one blank expected.); if I do limit=20, I get two blank bands. Now if I do limit=30, five bands have non-zero values, but they are not correct judging by setting limit=40 and limit=0. Now I can't even trust limit=0 because OTHER group still exist. How can I force OTHER to display?

alt text
alt text

Preview file
20 KB
Preview file
20 KB
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:14 PM

@martin_mueller is my usual muse:-). The problem is caused by my mistaken belief that values() on single-value input will always result in single-value stats. It does, except with charting where a group of stats have to be combined into OTHER, causing this group to be multi-valued and not displayed on the chart.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-09-2017 04:44 AM

The chart command has a useother argument that you can try setting as useother=t.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-09-2017 02:39 AM

I tried to reproduce that using this search:

index=_internal sourcetype=splunkd_access | chart count over file by bytes

However, I get a chart with all columns containing something, lots with OTHER.

What version are you on?
Can you reproduce your issue using splunk-internal data to run anywhere?

alt text

Preview file
41 KB
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-09-2017 12:10 PM

Version is 6.6.2. I tried several combinations with index=_internal but they are all able to show OTHER on chart. (Which is what I have always expected unless I specify useother=false).

But this inspired me to examine the stats in more detail, and discover that OTHER group alone contains multivalue entries! Because my input is single value, I was foolish to believe that values() is as good as any other function, not realising that OTHER would wreck havoc. Many thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...