Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add specific fields into the timechart OTHER category.

dglinder
Path Finder
‎12-04-2013 06:40 AM

I'm generating a report of the daily usage of my users indexes over the past week using this search:

earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput 
| eval GB=kb/(1024*1024) 
| bucket _time span=1d 
| convert ctime(_time) as timestamp 
| timechart span=1d sum(GB) by series

This works well, except the "_fishbucket" shows as one of the values charted.

I would like to combine"_fishbucket" and a few other fields into the "OTHER" category, but the only methods I can think of appear to drop them completely from the report.

Any suggestions?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 12:36 PM

For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:

eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)

This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.

There's the code from before with the addition:

earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput 
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series) 
| eval series=if(series == "_fishbucket", "OTHER", series) 
| eval GB=kb/(1024*1024) 
| bucket _time span=1d 
| convert ctime(_time) as timestamp 
| timechart span=1d sum(GB) by series

(I could have combined the two "eval series=..." pieces but I left them separate for readability.)

View solution in original post

Reply
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 12:36 PM

For anyone who is interested, I worked around this by using eval to change the series field to "OTHER" whenever one of the ignorable series were found:

eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series)

This changes any place that the "series" value is either "VALUE_internal" or "_internal" and places it in the "OTHER" column. If not, it sets it back to the original value of series.

There's the code from before with the addition:

earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput 
| eval series=if(series == "VALUE_internal" OR series == "_internal", "OTHER", series) 
| eval series=if(series == "_fishbucket", "OTHER", series) 
| eval GB=kb/(1024*1024) 
| bucket _time span=1d 
| convert ctime(_time) as timestamp 
| timechart span=1d sum(GB) by series

(I could have combined the two "eval series=..." pieces but I left them separate for readability.)

Reply
Solved! Jump to solution

anthonysomerset
Path Finder
‎03-27-2017 04:35 AM

amazing, this worked perfectly for me when my data set already had an "Other" field too i was able to also use the otherstr="" option to time chart to merge my Other series with OTHER

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...