Solved: timechart count by what values are chosen

robertlabrie · ‎09-19-2015

If a log is generated every time a user comments on a blog

index=bloglog sourcetype=comments | timechart count by username

You'll get a great timechart with 10 (or whatever your limit is) usernames, and an other. How does Splunk decide what usernames would get shown? Can I assume that if they're visible, they had the most events in the time period?

badrinath_itrs · ‎09-19-2015

Hi,

It displays the users having top count values as per default limit and the rest all users will be grouped as others . To change the limit you can use limit=0 ( all users) or some other number as per your requirement.

You can also add "useother=0" in your timechart search command to remove the other field.

Hope this helps.

View solution in original post

badrinath_itrs · ‎09-19-2015

Hi,

It displays the users having top count values as per default limit and the rest all users will be grouped as others . To change the limit you can use limit=0 ( all users) or some other number as per your requirement.

You can also add "useother=0" in your timechart search command to remove the other field.

Hope this helps.

robertlabrie · ‎09-20-2015

Thanks for helping. I figured that was the logic, but wanted to confirm.
Thanks

timechart count by what values are chosen

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms