Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

[Need Help] how to expand 'OTHER' column created by stats command

cheriemilk
Path Finder
‎10-08-2020 07:39 AM

Hi team,

when I use stats command to group and aggregration. For example:  

<base query here>
| bin span=1d _time
| stats count(eval(autosave=1)) as autosave
count(eval(autosave=0 OR autosave=1)) as total by _time, DC .

There's a column named 'OTHER' created.  I want all the columns displayed, instead of group into 'OTHER' column if the number of columns are many. 

I know that for timechart command there's a parameter useother=false can do this. but I can't find asuch a paramter for stats command , can you help?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 10:31 AM

The stats command does NOT produce a field called "OTHER".  The only fields returned by stats are those named ("autosave", "total", "_time", and "DC" in the example query) in the command.  

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

cheriemilk
Path Finder
‎10-08-2020 05:47 PM

Hi @richgalloway 

Sorry that i was just awared that the 'OTHER' column is created by chart command, instead of stats.

| stats count(eval(autosave=1)) as autosave count(eval(autosave=0 OR autosave=1)) as total by _time , DC
| eval percent=round(autosave * 100 / total,2)
| chart values(total) as total values(autosave) as autosave values(percent) as percent by _time , DC

How to expand 'OTHER' column?

Thanks,

Cherie

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-09-2020 05:35 AM

The chart command has a useother option.

| chart useother=f values(total) as total values(autosave) as autosave values(percent) as percent by _time , DC
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 10:31 AM

The stats command does NOT produce a field called "OTHER".  The only fields returned by stats are those named ("autosave", "total", "_time", and "DC" in the example query) in the command.  

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

cheriemilk
Path Finder
‎10-08-2020 05:51 PM

Hi @richgalloway 

 

I found this useother=false can applied to chart command as well, just like timechart command.

 

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top