I'd like to display up to a certain number of data points in a bar chart in a way that the rest of the items which do *not* get displayed are collapsed into one bar: "other". Is there a way to do this? I'm aware that I can simply set the maximum number of data points to display, but this provides no information about the rest, which is what I'm trying to do. I'm using the Splunjs framework to create the visualization in an app external to Splunk.
-- your seaarch
| sort - countfield
| eventstats sum(countfield) as total
| head 8
| eventstats sum(countfield) as partial
| sort countfield
| streamstats count as row
| eval row=if(row = 1, mvappend(row,"0"), row)
| mvexpand row
| eval dimension=if(row = 0, "Other", dimension)
| eval countfield=if(row = 0, total - partial, countfield)
| sort - row
| fields - row partial total
Thanks for your reply! It looks like I've deleted my original response to this post by mistake :-(. I understand this as a clever work-around for the fact that the feature is not supported (as built-in) in bar charts. I am not familiar yet with some of the commands in your query, but I'll them up as they seem pretty useful. Thanks!
-- your seaarch
| sort - countfield
| eventstats sum(countfield) as total
| head 8
| eventstats sum(countfield) as partial
| sort countfield
| streamstats count as row
| eval row=if(row = 1, mvappend(row,"0"), row)
| mvexpand row
| eval dimension=if(row = 0, "Other", dimension)
| eval countfield=if(row = 0, total - partial, countfield)
| sort - row
| fields - row partial total