Solved: timechart count by what values are chosen

robertlabrie · ‎09-19-2015

If a log is generated every time a user comments on a blog

index=bloglog sourcetype=comments | timechart count by username

You'll get a great timechart with 10 (or whatever your limit is) usernames, and an other. How does Splunk decide what usernames would get shown? Can I assume that if they're visible, they had the most events in the time period?

badrinath_itrs · ‎09-19-2015

Hi,

It displays the users having top count values as per default limit and the rest all users will be grouped as others . To change the limit you can use limit=0 ( all users) or some other number as per your requirement.

You can also add "useother=0" in your timechart search command to remove the other field.

Hope this helps.

View solution in original post

badrinath_itrs · ‎09-19-2015

Hi,

It displays the users having top count values as per default limit and the rest all users will be grouped as others . To change the limit you can use limit=0 ( all users) or some other number as per your requirement.

You can also add "useother=0" in your timechart search command to remove the other field.

Hope this helps.

robertlabrie · ‎09-20-2015

Thanks for helping. I figured that was the logic, but wanted to confirm.
Thanks

timechart count by what values are chosen

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?