Reporting
Highlighted

What is the OTHER field?

Explorer

When running reports there are times when a field of OTHER is returned.

What defines a result to be returned to OTHER?

Can the properties that cause a result to be sent to this field be modified? If so what files control these properties?

Tags (1)
Highlighted

Re: What is the OTHER field?

Super Champion

The OTHER field is just a place-holder name used by timechart or bucket search commands (and possibly others). By default these grouping commands limit the number of values they group by because there is only so much room to display them on a chart. (If you use stats for example, you will not get an "OTHER" field, because stats is generally used for build tables and not visually displayed charts.) Generally "OTHER" this is this is just a combination of the most uninteresting series.

The number of series shown on a chart defaults to either 10 or 15 (don't remember off the top of my head). So if your search has a ... | timechart .... in the search, if you change it to .. | timechart limit=30 .... then you should see more actual grouping values. If you still see OTHER then you have more than 30 distinct values.

Highlighted

Re: What is the OTHER field?

Contributor

The OTHER field represents groupings that are not in the top N most prevalent groups. For example, if you run a search like:

search ... | timechart count by host

the max number of host fields that would be returned by timechart is 10. If you have 25 distinct hosts in your dataset, then the 15 least populous hosts would be coalesced into OTHER.

There are 2 ways to deal with this:

  1. Disable the use of OTHER by adding a useother=f parameter:

    search ... | timechart count by host useother=f
    

    This will generate a field for every host found in the dataset.

  2. Increase the threshold for OTHER grouping:

    search ... | timechart count by host where count in top50
    

    This will generate a field for every host, up to 50. If there are more than 50, those excess will then be grouped into OTHER.

There is a similar grouping call NULL, which can be disabled by using the usenull=f option. These parameters are available on both the timechart and chart command. For more information, see the search reference on timechart.

View solution in original post