I have a timechart search that looks something like:
... | timechart span=15m max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category | eval threshold=1
Some Observations/Questions:
But there is 14 categories to show and it only shows 10, and puts the remaining categories into Other
. So that's 11 categories in total showing.
The legend seems to show the categories in alphabetical order. Can I order this by size or something else other that alphabetically?
Can I name Other
to something else?
I can add another category to the legend using the eval threshold=1
and this seems to appear in the legend. So there is a limit there of sorts, but not completely it seems
Hi HattrickNZ
use limit=0 like below
... | timechart span=15m max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category limit=0 | eval threshold=1
try like this: .. | timechart span=15m useother=f limit=0 max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category |...
to see the "Other" category
and for more information on timechart command see this link: docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/timechart
Hi HattrickNZ ,
There is no limit for the number of categories that can be in legend in splunk timechart .
If you have 14 categories to show and it only shows 10, It is simply because splunk consider the value or the amount of the other categoties to be insignificant.
So splunk do not see an interest to put then in the legend But splunk gather all that values in one categories call other
Note that you can decide to display all your legend values( see what Chimell proposed).
Hi HattrickNZ
use limit=0 like below
... | timechart span=15m max(c84162281) as "Average Seizure Traffic per Line (Trunk Group)" by TG_Category limit=0 | eval threshold=1
Alternatively, you can add useother=f
if you don't want to see the "Other" category.
tks but useother=f
will remvoe it completely from the legend and this is not what i want in this instance but good to know.
limit=0
works by not grouping the remaining categories into Other
.
You may also find the docs on timechart useful.
in particular otherstr
can be used to rename Other.
found this re the limit question