Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Add specific fields into the timechart OTHER c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm generating a report of the daily usage of my users indexes over the past week using this search:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
This works well, except the "_fishbucket" shows as one of the values charted.
I would like to combine"_fishbucket" and a few other fields into the "OTHER" category, but the only methods I can think of appear to drop them completely from the report.
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:
eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.
There's the code from before with the addition:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
| eval series=if(series == "_fishbucket", "OTHER", series)
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
(I could have combined the two "eval series=..." pieces but I left them separate for readability.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:
eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.
There's the code from before with the addition:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)
| eval series=if(series == "_fishbucket", "OTHER", series)
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
(I could have combined the two "eval series=..." pieces but I left them separate for readability.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amazing, this worked perfectly for me when my data set already had an "Other" field too i was able to also use the otherstr="" option to time chart to merge my Other series with OTHER
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
