Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Drilldown on OTHER field

Ant1D
Motivator
‎02-25-2011 05:18 PM

Hey,

There is a field named OTHER which tends to appear at times in my search results. However, if I drilldown on this field (e.g. Click on a chart cell representing this OTHER field) the flashtimeline view will display no results.

Is there a way to get results to be displayed for the OTHER field? (This would enable me to see what data is going under this field and why).

I know that I can stop this field from appear via | fields - OTHER but sometimes this field has a fairly significant count in search results so I don't want to disregard this field.

Thanks in advance for your help.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-26-2011 06:13 PM

Well the most basic way is to throw a limit=50 into your timechart or chart. That makes it display up to 50 (or whatever) before it starts lumping everybody into OTHER.

eg

 <your search> | timechart avg(session_length) by user limit=50

or

 <your search> | chart dc(users) by clientip limit=50

It doesnt make the 'OTHER' go away entirely but when the top 10 items leaves a significant slice of "OTHER" in the chart, often the top 50 will leave a much smaller slice and it becomes a much lower usability problem. The legend kind of goes off into space and you cant use it, but the user can mouseover the individual blocks or lines on the chart and see them still...

To david's point, sideview_utils makes a ton of stuff way easier, but this is more a search-language thing and it's best solved with search-language solutions.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-26-2011 06:13 PM

Well the most basic way is to throw a limit=50 into your timechart or chart. That makes it display up to 50 (or whatever) before it starts lumping everybody into OTHER.

eg

 <your search> | timechart avg(session_length) by user limit=50

or

 <your search> | chart dc(users) by clientip limit=50

It doesnt make the 'OTHER' go away entirely but when the top 10 items leaves a significant slice of "OTHER" in the chart, often the top 50 will leave a much smaller slice and it becomes a much lower usability problem. The legend kind of goes off into space and you cant use it, but the user can mouseover the individual blocks or lines on the chart and see them still...

To david's point, sideview_utils makes a ton of stuff way easier, but this is more a search-language thing and it's best solved with search-language solutions.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-03-2011 02:36 AM

NP. There are things you can do with a little bit of JS in application.js, and I might roll something into application.js, but it's a bit nutty. Think "field!=value1 field!=value2 field!=value3...." kind of a pain in the ass but it wouldnt be too hard for me to roll it generically into a patch to the tables and charts and apply the patch from sideview_utils...

0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎03-02-2011 10:03 AM

Thanks for the info Nick

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎02-25-2011 06:31 PM

This may be something you can do with sideview_utils, and specifically the ValueSetter module. That will require you to delve into Advanced XML (and beyond that, to the sideview modules), so it might be more hassle than it's worth, but it could be something to consider.

You might also be able to get away with by doing your search as a subsearch, with a NOT. Not sure how it'd play out, but maybe it could get you what you want (albeit with another link / table / etc.)

0 Karma
Reply
Solved! Jump to solution

Ant1D
Motivator
‎02-28-2011 11:09 AM

Thanks for the info David

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...