How to create a field value from a group of values...

diabinho · ‎11-07-2019

I m trying to create a table were I want to display the 3 biggest values (count) from a field and the existing remain as "others". For example:

Field1 count
A 27
B 20
C 8
others 239

How do I achieve to create "others" ?

*Others=D, E,F, ... (total count of occurrences)

Thanks

diabinho · ‎11-08-2019

I think I got it by applying |timechart span=5m limit=9 usenull=f useother=true count by ALPHABET |fields + "A" "F" "G" "OTHER"

richgalloway · ‎11-08-2019

@diabinho If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

mayurr98 · ‎11-07-2019

try this:

.. |top limit=3 Field1 useother=1 showperc=f

diabinho · ‎11-08-2019

Thank you for the help but I posted my question wrongly, never the less your answer helped me with something else 🙂

What I really want is something like this:
alt text

Being A, F and G always there despite the number of counts, and OTHER are just the remaining ones. I know if I use limit=limit_number I get automatically OTHER but I cant see how to "stick" A, F and G there.

Any thoughts?

Thanks

diabinho · ‎11-08-2019

Hello mayurr98,

It helped but it isn't what I was looking for but that's my bad, I didn't explain properly, never the less it helped me with something else.

Thanks

How to create a field value from a group of values in the same field?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to create a field value from a group of values in the same field?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0