I'm generating a report of the daily usage of my users indexes over the past week using this search:
earliest=-7d@d latest=@d index="_internal" source="*metrics.log" per_index_thruput
| eval GB=kb/(1024*1024)
| bucket _time span=1d
| convert ctime(_time) as timestamp
| timechart span=1d sum(GB) by series
This works well, except the "_fishbucket" shows as one of the values charted.
I would like to combine"_fishbucket" and a few other fields into the "OTHER" category, but the only methods I can think of appear to drop them completely from the report.
Any suggestions?