Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to prevent chart command from only displaying ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have an input table with 3 inputs: id, name, and date. I'm attempting to chart the count of id's by name over time.
I'm currently using the following command:
chart count(id) over time by name
This gives me the exact formatting I'm looking for, but I'm running into an issue where all but the 10 names with the highest count get lumped together in a new column called OTHER that seems to be generated by Splunk.
How can I prevent this from happening and ensure Splunk displays all of the names, not just the top 10?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.
Also make sure you're aware that count(id) is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id).
Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.
So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100 in the following.
chart count(id) over time by name limit=100
or using timechart,
timechart count(id) by name limit=100
If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a little unusual to have chart command used when the x-axis is time, as this is really what timechart command is designed for. if If you haven't taken a look already, I recommend doing so; you may prefer the way timechart handles the bucketing of times, drilldown and other behaviors.
Also make sure you're aware that count(id) is going to count the number of occurrences of the "id" field, and it will not count the number of distinct occurrences, which would be dc(id).
Anyway, moving on to your question about "OTHER", which is a feature of both timechart and chart, superficially, you can remove the "OTHER" from the results with "useother=f", but doing this is usually a bad idea. The reason is that while the useother argument removes the OTHER column, it does not actually alter the underlying behavior of listing only the top 10 ! Instead you're just removing the only clear evidence that the list is truncated and you can see how confusion might result.
So instead, a better is to raise the limit from the default of 10, with the limit argument, ie limit=100 in the following.
chart count(id) over time by name limit=100
or using timechart,
timechart count(id) by name limit=100
If/when you have more than that number there, you'll still get an OTHER column. Change it to 500 or 1000 if you like of course. 😃
Data Persistence in the OpenTelemetry Collector
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
Community Content Calendar, September edition
