Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- drilldown OTHER in a chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a bar chart created from the following search:
eventtype="EVENT_OSCE_Virus" | dedup Virus, destination | timechart count by Virus
The idea was to get a stacked bar chart of viral activity for the past week. It works fine, the chart is correct. I can also drill down by clicking on a virus name on the legend, or the relevant stack layer on the chart.
All this except for the automatically created OTHER category which groups the remaining events. When clicking on it I get the search
eventtype="EVENT_OSCE_Virus" | dedup Virus, destination | search Virus="OTHER"
which is obviously wrong. It should rather be something like
eventtype="EVENT_OSCE_Virus" | dedup Virus, destination | search NOT (Virus="first virus in
the legend" OR Virus="second virus in the legend" ...)
Is there a way to modify the default behavior for this kind of drilldown (ie. for a drilldown which uses the OTHER category)?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You cannot drilldown on the OTHER field and my understanding is that you cannot modify the behaviour of this field. If you want to see what exactly is going into your OTHER category for drilldown purposes, you can change your search to the following:
eventtype="EVENT_OSCE_Virus" | dedup Virus, destination | timechart limit=50 count by Virus
The limit=50 inclusion will show the top 50 Virus values. After those top 50 values are shown, it will place the remaining values (if there are more than 50 results) into the OTHER field. You can increase or decrease the limit value to your liking.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You cannot drilldown on the OTHER field and my understanding is that you cannot modify the behaviour of this field. If you want to see what exactly is going into your OTHER category for drilldown purposes, you can change your search to the following:
eventtype="EVENT_OSCE_Virus" | dedup Virus, destination | timechart limit=50 count by Virus
The limit=50 inclusion will show the top 50 Virus values. After those top 50 values are shown, it will place the remaining values (if there are more than 50 results) into the OTHER field. You can increase or decrease the limit value to your liking.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - this is what I was afraid of. I was hoping somehow that OTHER could be tweaked to display "everything except the values shown"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
