Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rename "other" in result set

M__rt_n
New Member
‎07-03-2017 11:55 PM

When making a graph, I get my result set, limited to the number of results I wish to see. The remaining results are combined in an "other" value.
This is all correct, BUT I wish to rename this "other"- value, since all my "regular" values are listed in another language.
How can this be done?
(I have been able to use "eval" to change my "regular" values, but this doesn't seem to work for the "other"-value.)

0 Karma
Reply

DalJeanis
Legend
‎07-05-2017 06:57 AM

I can't get the replace verb to work, but there's a timechart-specific command. Run anywhere example - 

source=unix_hosts 
| timechart count by splunk_server  otherstr="NewValue"
Reply

dnyanesh7
Engager
‎05-24-2020 12:33 AM

If you are using PieChart: You can edit your source and add this property-

charting.chart.sliceCollapsingLabel = "ProvideName"

by default it is: Other

0 Karma
Reply

woodcock
Esteemed Legend
‎07-04-2017 07:43 AM

Just add this to the end of your search:

| rename OTHER AS YourOtherNameHere
0 Karma
Reply

M__rt_n
New Member
‎07-05-2017 02:43 AM

This doesn't seem to work.
This Other value isn't a column name.
It's a value inside a column.

0 Karma
Reply

ddrillic
Ultra Champion
‎07-05-2017 06:39 AM

So, maybe something in the spirit of - | rex field=basavalue mode=sed "s/Other/NewValue/g"

0 Karma
Reply

sbbadri
Motivator
‎07-05-2017 06:32 AM

try this

your base search | timechart usenull=fasle useother=false limit=0 count

Reply

niketn
Legend
‎07-05-2017 07:09 AM

Slight correction in the syntax. However, if OTHER field is being introduced through timechart or chart command you can use following three to control number of fields returned and whether to usenull and useother or not limit, usenull and useother.

 | timechart usenull=f useother=f limit=10 count

By default the limit is 10 and setting the same to 0 will show all fields generated due to aggregation.
usenull is by default true (or t) which you can set to either false or f. Similarly for useother.
You might have to share your query if you are not using timechart or chart command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...