Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Addtotals does not include 'Other'
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Addtotals does not include 'Other'
When I add a limit to a timechart to reduce the number of visible series (improve dashboard performance) it changes the value of Total when using addtotals.
Example:
| timechart span=1s avg(host_usage) by host useother=true
| addtotals
The below gives me a lower overall total than the above:
| timechart span=1s avg(host_usage) by host limit=5 useother=true
| addtotals
I thought Other was supposed to be the total of all other values not explicitly displayed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to carefully calibrate your result before drawing conclusions. In other words, compare apples to apples. Try this exercise: run the following two within the same calendar hour. First
<somesearch> earliest=-1h@h latest=-0h@h
| timechart span=1s avg(host_usage) by host useother=true
| addtotals
| table _time Total *
Then this
<somesearch> earliest=-1h@h latest=-0h@h
| timechart span=1s avg(host_usage) by host useother=true limit=5
| addtotals
| table _time Total *
What the earliest and latest do in this exercise is to eliminate any bucket error. (I am curious what use case could warrant timechart with span 1s.) The table command is so you can easily compare Total in each row.
When I test this method, Total does not change when I set limit. Here is the test set:
index=_audit earliest=-1d@d latest=-0d@d
| timechart span=4h count by action useother=true
| addtotals
| table _time Total *
| _time | Total | add | delete | expired_session_token | login_attempt | quota | read_session_token | search | update | validate_token |
| 2024-07-07 21:00 | 1592 | 0 | 0 | 14 | 0 | 1 | 787 | 3 | 0 | 787 |
| 2024-07-08 01:00 | 453 | 0 | 0 | 13 | 1 | 8 | 199 | 33 | 0 | 199 |
| 2024-07-08 05:00 | 212 | 0 | 0 | 3 | 1 | 8 | 95 | 10 | 0 | 95 |
| 2024-07-08 09:00 | 1965 | 0 | 0 | 9 | 2 | 8 | 964 | 14 | 4 | 964 |
| 2024-07-08 13:00 | 6508 | 0 | 0 | 22 | 2 | 10 | 3216 | 34 | 7 | 3217 |
| 2024-07-08 17:00 | 7059 | 1 | 1 | 0 | 0 | 0 | 3519 | 16 | 3 | 3519 |
| 2024-07-08 21:00 | 4966 | 0 | 0 | 0 | 0 | 0 | 2478 | 10 | 0 | 2478 |
index=_audit earliest=-1d@d latest=-0d@d
| timechart span=4h count by action useother=true limit=3
| addtotals
| table _time Total *
| _time | Total | OTHER | read_session_token | search | validate_token |
| 2024-07-07 21:00 | 1592 | 15 | 787 | 3 | 787 |
| 2024-07-08 01:00 | 453 | 22 | 199 | 33 | 199 |
| 2024-07-08 05:00 | 212 | 12 | 95 | 10 | 95 |
| 2024-07-08 09:00 | 1965 | 23 | 964 | 14 | 964 |
| 2024-07-08 13:00 | 6508 | 41 | 3216 | 34 | 3217 |
| 2024-07-08 17:00 | 7059 | 5 | 3519 | 16 | 3519 |
| 2024-07-08 21:00 | 4966 | 0 | 2478 | 10 | 2478 |
As you can see, the Total column in the two output are exactly identical.
Suggestion: If your event density is extremely high (given that you are using 1s time bucket), you can use snap-to anchor ("@", see Specify a snap to time unit) to avoid indeterministic time bucket
<somesearch>
| timechart span=1s@s avg(host_usage) by host useother=true
| addtotals<somesearch>
| timechart span=1s@s avg(host_usage) by host useother=true limit=5
| addtotals
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Giuseppe.
Unfortunately that is the problem, I actually have 30 values. I want to display the total for all, but don't necessarily want to chart them all, as this many series over a number of charts tends to slow down the dashboard. I was hoping that by using Other, it would sum the other values into that column, thereby allowing me to display an accurate total while not displaying all the values.
Is there a way to do this? I'm thinking it may only work by appending a subsearch for the total and overlaying it on the original chart, but I was trying to avoid adding another search for every panel that displays this data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jvamplew ,
I'm not sure, but it should run:
<your_search>
| bin span=1s -time
| stats avg(host_usage) by host useother=true
| addtotals
| timechart span=1s avg(host_usage) by host limit=7 useother=trueCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jvamplew,
if you use limit=5, you'll have 5 results, so you don't need to use useother.
In this way addtotals summarize only the results of the search, in other words, only the first 5 values.
Ciao.
Giuseppe
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
