Solved: Why is timechart showing OTHER for some values?

nwoolley · ‎10-08-2019

process_inst_id=258600,process_def_id=30,process_name=MIWrite,start_dt=08-OCT-2019-07:39:49,end_dt=,completed=N,running=Running,exe_period=1,avg_exe_period=1,status=GREEN
host = rbm01.plus.netsourcetype = Crontab_SPL
08/10/2019
07:36:18.000    
process_inst_id=258599,process_def_id=5010,process_name=PAYRESP_NORMAL,start_dt=08-OCT-2019-07:36:18,end_dt=08-OCT-2019-07:37:40,completed=Y,running=08-OCT-2019-07:37:40,exe_period=1,avg_exe_period=1,status=GREEN
host = rbm01.plus.netsourcetype = Crontab_SPL

Fields above coming up as "OTHER" when I use timechart oddly, anyone know why?

index=asg "completed=" | timechart count by process_name

solarboyz1 · ‎10-08-2019

Usually occurs when hit the default limit of distinct values. add limt=0 to your timechart:

index=asg "completed=" | timechart limit=0 count by process_name

https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/SearchReference/Timechart

If set to limit=0, all distinct values are used. Setting limit=N keeps the N highest scoring distinct values of the split-by field.

View solution in original post

sandeepmakkena · ‎10-08-2019

... | timechart useother=f count by process_name

You can do this.

solarboyz1 · ‎10-08-2019

Usually occurs when hit the default limit of distinct values. add limt=0 to your timechart:

index=asg "completed=" | timechart limit=0 count by process_name

https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/SearchReference/Timechart

If set to limit=0, all distinct values are used. Setting limit=N keeps the N highest scoring distinct values of the split-by field.

nwoolley · ‎10-15-2019

perfect thanks

Why is timechart showing OTHER for some values?

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI