- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: What is the OTHER field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When running reports there are times when a field of OTHER is returned.
What defines a result to be returned to OTHER?
Can the properties that cause a result to be sent to this field be modified? If so what files control these properties?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The OTHER field represents groupings that are not in the top N most prevalent groups. For example, if you run a search like:
search ... | timechart count by host
the max number of host fields that would be returned by timechart is 10. If you have 25 distinct hosts in your dataset, then the 15 least populous hosts would be coalesced into OTHER.
There are 2 ways to deal with this:
Disable the use of
OTHERby adding auseother=fparameter:search ... | timechart count by host useother=fThis will generate a field for every
hostfound in the dataset.Increase the threshold for
OTHERgrouping:search ... | timechart count by host where count in top50This will generate a field for every
host, up to 50. If there are more than 50, those excess will then be grouped intoOTHER.
There is a similar grouping call NULL, which can be disabled by using the usenull=f option. These parameters are available on both the timechart and chart command. For more information, see the search reference on timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The OTHER field represents groupings that are not in the top N most prevalent groups. For example, if you run a search like:
search ... | timechart count by host
the max number of host fields that would be returned by timechart is 10. If you have 25 distinct hosts in your dataset, then the 15 least populous hosts would be coalesced into OTHER.
There are 2 ways to deal with this:
Disable the use of
OTHERby adding auseother=fparameter:search ... | timechart count by host useother=fThis will generate a field for every
hostfound in the dataset.Increase the threshold for
OTHERgrouping:search ... | timechart count by host where count in top50This will generate a field for every
host, up to 50. If there are more than 50, those excess will then be grouped intoOTHER.
There is a similar grouping call NULL, which can be disabled by using the usenull=f option. These parameters are available on both the timechart and chart command. For more information, see the search reference on timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The OTHER field is just a place-holder name used by timechart or bucket search commands (and possibly others). By default these grouping commands limit the number of values they group by because there is only so much room to display them on a chart. (If you use stats for example, you will not get an "OTHER" field, because stats is generally used for build tables and not visually displayed charts.) Generally "OTHER" this is this is just a combination of the most uninteresting series.
The number of series shown on a chart defaults to either 10 or 15 (don't remember off the top of my head). So if your search has a ... | timechart .... in the search, if you change it to .. | timechart limit=30 .... then you should see more actual grouping values. If you still see OTHER then you have more than 30 distinct values.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
