Splunk Search

Why is 'other' showing up?

jgauthier
Contributor

I have a couple simple saved searches, and they are on a dashboard. After upgrading to 4.3, "other" started showing up on the pie charts. The search is simple:

sourcetype="squid" uri_host="facebook.com" | top 10 username

When I run the search interactively, there isn't an "other". Only on the dashboard. So, I deciced to change the query to use chart, so I can 'useother=f'.

So, I changed it to be slightly more complex:

sourcetype="squid" action="*" uri_host="facebook.com"| chart count(username) as ucount by username useother=f| sort -ucount | head 10

But this resulted in:

"The following options were specified but have no effect when a split-by clause is not provided:useother"

So I remove 'useother=f' and I am back to a pie chart with 'other' in it.

thanks for any assistance.

Tags (2)

Ashish_Singla
Engager

Please use the following line in the source.

option name="charting.chart.sliceCollapsingThreshold"=0.00

0 Karma

MHibbin
Influencer

I have also seem this many times when creating pie charts. I think the issue is that by default the chart will group results when they're below a certain threshold.. less than 1% by default. So I would assume you have one/two (maybe a few) large results and the rest are group as they are so small in size. If you are using simplified XML you can add the following option to your XML.

In your simple Xml you will have a line like...

<option name="charting.chart">pie</option>

Under this you should try adding...

<option name="charting.chart.sliceCollapsingThreshold">0</option>

If you are using advanced XML,you will have line(s) like...

<module name="HiddenChartFormatter">
<param name="charting.chart">pie</param>

You would need to use the following param directly below...

<param name="charting.chart.sliceCollapsingThreshold">0</param>

As I always recommend, you should probably "clone" the view before modifying, or at least have a back in notepad/text file.

This basically sets the threshold to "0", so there will be no collapsing to "Other".

EDIT... here are docs for this... DOCS

Hope this helps.

Regards,

MHibbin

anywhere99
Explorer

Thanks @MHibbin

0 Karma

bfernandez
Communicator

This should be marked as correct. Thanks @MHibbin

0 Karma

MHibbin
Influencer

I'm suprised the pie chart is still collapsing to "other"

What values do you get when you use (the count and %age, don't need the usernames if that's sensitive data):

sourcetype="squid" uri_host="facebook.com" | top 10 username

Additionally, could you add your xml?

0 Karma

jgauthier
Contributor

Thanks. I gave that a try. It didn't work. So, I looked up the module reference, which says: "0.01 (slices smaller than 1% of the whole pie are collapsed)" That was definitely not the case either. If I change the value to '1' then I get 100% of pie collapse. It seems to be ignoring the value as 0, or the default is not working.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...