Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what is the limit to the number of categories that can be in a legend in splunk timechart

HattrickNZ
Motivator
‎04-07-2015 08:25 PM

I have a timechart search that looks something like:

... | timechart  span=15m max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category | eval threshold=1

Some Observations/Questions:
But there is 14 categories to show and it only shows 10, and puts the remaining categories into Other. So that's 11 categories in total showing.
The legend seems to show the categories in alphabetical order. Can I order this by size or something else other that alphabetically?
Can I name Other to something else?
I can add another category to the legend using the eval threshold=1 and this seems to appear in the legend. So there is a limit there of sorts, but not completely it seems

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chimell
Motivator
‎04-08-2015 12:36 AM

Hi HattrickNZ
use limit=0 like below

  ... | timechart span=15m  max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category   limit=0 | eval threshold=1

View solution in original post

Reply
Solved! Jump to solution

fdi01
Motivator
‎04-08-2015 03:10 AM

try like this: .. | timechart span=15m useother=f limit=0 max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category |...

to see the "Other" category
and for more information on timechart command see this link: docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/timechart

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎04-08-2015 02:26 AM

Hi HattrickNZ ,
There is no limit for the number of categories that can be in legend in splunk timechart .
If you have 14 categories to show and it only shows 10, It is simply because splunk consider the value or the amount of the other categoties to be insignificant.
So splunk do not see an interest to put then in the legend But splunk gather all that values in one categories call other

Note that you can decide to display all your legend values( see what Chimell proposed).

Reply
Solved! Jump to solution
Solution

chimell
Motivator
‎04-08-2015 12:36 AM

Hi HattrickNZ
use limit=0 like below

  ... | timechart span=15m  max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category   limit=0 | eval threshold=1
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎04-08-2015 01:43 AM

Alternatively, you can add useother=f if you don't want to see the "Other" category.

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-12-2015 04:04 PM

tks but useother=f will remvoe it completely from the legend and this is not what i want in this instance but good to know.

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-12-2015 04:05 PM

limit=0 works by not grouping the remaining categories into Other.

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-07-2015 09:40 PM

You may also find the docs on timechart useful.

in particular otherstr can be used to rename Other.

0 Karma
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎04-07-2015 08:25 PM

found this re the limit question

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...