Splunk Search

"Other" values in pie chart

echalex
Builder

Hi,

Short explanation of my problem: I'm investigating a problem where two file downloads are apparently interrupted prematurely. For convenience's sake, let's assume I have two macros, file1 and file2 matching the downloads. I want a pie chart for both of them.

`file1` |chart count by bytes
`file2` |chart count by bytes

For file1 I get a nice pie chart, where there are the counts for the two most common AND a slice with the label other(30) with the count 30. But for file2 I get a pie slice for each distinct value of bytes. (Hope this is not too unclear)

Two questions:

1) Why is the behaviour for file1 the way it is? I didn't ask for it, but I do like it

2) How can I get the same behaviour for file2? My experiments with rangemap, bins and span puts all the results in ranges like 200000-300000, etc.

Update:
Since I didn't express myself clearly at first, I want to point out that I'm looking for a a way of setting useother to false from the search command itself. I have not included this search in a dashboard or view, so I there is no XML to edit. The reason for my question is simply that I sometimes need to a one-time search for this. This time, I was searching for failed downloads. But since the bytes field can also vary for succesful downloads, it is important for me to see all the count for all the values of bytes, not just the most common ones.

Tags (3)
1 Solution

jonuwz
Influencer

When do pie charts collapse values into "other" (see sliceCollapsingThreshold)

By default, values that make up less that 1% of the whole are collapsed into "other"

If this is in a dashboard, you could edit the XML to change the value of this parameter to 0 to disable collapsing.

Update.

You could do something like ... | top limit=5 useother=t bytes

This will (should) show the top 5 values, and lump everything else into 'other'

View solution in original post

theertpr
Explorer

TO get rid of "OTHER" and get the actual fields use the following piece of XML code
0

this should be within



...................
..........................
.
.
.
.
0

genesiusj
Builder

I downvoted this post because clicked up vote by accident. just taking back my vote. the question from the user was about search not dashboards.

0 Karma

HXCaine
Path Finder

@echalex Same here -- I ended up adding it to a dashboard just for the visualisation. Perhaps somebody can suggest a way of specifying these options without requiring a dashboard

echalex
Builder

Thanks for the input, but my question is still about doing this purely in the search language, not in a view or dashboard. So there is no XML to edit.

0 Karma

jonuwz
Influencer

When do pie charts collapse values into "other" (see sliceCollapsingThreshold)

By default, values that make up less that 1% of the whole are collapsed into "other"

If this is in a dashboard, you could edit the XML to change the value of this parameter to 0 to disable collapsing.

Update.

You could do something like ... | top limit=5 useother=t bytes

This will (should) show the top 5 values, and lump everything else into 'other'

HXCaine
Path Finder

Be careful with "useother", it only hides the fields that go into the 'other' category

0 Karma

echalex
Builder

Yes, I've been playing around with the useother option, but it doesn't seem to affect the pie chart in any way, I'm afraid.

0 Karma

MHibbin
Influencer

Did you see the update above? i.e. the "useother" option]

0 Karma

echalex
Builder

I'm sure it will, but I'm not using a a dashboard, report or form. Just a plain search. So whereas this parameter is certainly nice to have and good to know about, it does not really answer my question.

0 Karma

MHibbin
Influencer

I think the use of dashboard here has confused matters, this XML will work for all views (i.e. dashboards/reports/forms/whatever names you will give them).

Used this many times! You just need to applu the sliceCollapsinThreshold param to only the chart in question (i.e. file2), and the other chart will be uneffected.

0 Karma

echalex
Builder

Thanks! That does explain the difference in behaviour. However, this is not a dashboard. And I don't want to disable it. On the contrary, I want enable it for file2.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...