https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448561#M176991 <P>This answer works as well, and perhaps is slightly cleaner.<BR /> @eykrevooh's answer was posted first and thus I accepted it.</P> Fri, 08 Feb 2019 14:25:31 GMT jfriedman_ofigl 2019-02-08T14:25:31Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448558#M176988 <P>My vulnerability data looks like this:</P> <PRE><CODE>Machine MachineType VulnCode Impact ------- ----------- -------- ------ A X 100 5 A X 101 4 A X 102 3 A X 103 5 B X 200 5 B X 201 3 C Y 101 4 D Y 200 5 D Y 201 3 E Z 103 5 F Z 201 3 </CODE></PRE> <P>I want a result like this:</P> <PRE><CODE>MachineType Impact=5 Impact=4 Impact=3 ----------- -------- -------- -------- X 3 1 2 Y 1 1 1 Z 1 0 1 </CODE></PRE> <P>I tried appendcols with a savedsearch but got <CODE>Found circular dependency when expanding savedsearch</CODE>.</P> <P>Thank you.</P> Thu, 07 Feb 2019 22:10:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448558#M176988 jfriedman_ofigl 2019-02-07T22:10:24Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448559#M176989 <P>This would be case to use the <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Xyseries">xyseries</A> command.</P> <P>First you want to get a count by the number of Machine Types and the Impacts. <BR /> <CODE>| stats count by MachineType, Impact</CODE><BR /> Once you have the count you can use xyseries command to set the x axis as Machine Types, the y axis as the Impact, and their value as count.<BR /> <CODE>| xyseries MachineType, Impact, count</CODE><BR /> This will produce a table like you have above, the only difference is that any place where there would be a 0 it would be null. If you want zeros in there place you can use fillnull.<BR /> <CODE>| fillnull value=0</CODE></P> <P>Example Full Command:<BR /> <CODE>| stats count by MachineType, Impact<BR /> | xyseries MachineType, Impact, count<BR /> | fillnull value=0</CODE></P> Thu, 07 Feb 2019 23:22:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448559#M176989 eykrevooh 2019-02-07T23:22:44Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448560#M176990 <P>I think you just need to make impact that way you want and then use chart to format.</P> <PRE><CODE>&lt;your search&gt; | eval Impact = "Impact=" . Impact | chart count over MachineType by Impact </CODE></PRE> Thu, 07 Feb 2019 23:28:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448560#M176990 maciep 2019-02-07T23:28:15Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448561#M176991 <P>This answer works as well, and perhaps is slightly cleaner.<BR /> @eykrevooh's answer was posted first and thus I accepted it.</P> Fri, 08 Feb 2019 14:25:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448561#M176991 jfriedman_ofigl 2019-02-08T14:25:31Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448562#M176992 <P>understood...important thing is you got what you needed. And although xyseries may not be needed for this particular case, keep it in your toolbox, because it can definitely come in handy</P> Fri, 08 Feb 2019 14:33:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-crosstab-with-sparse-data/m-p/448562#M176992 maciep 2019-02-08T14:33:00Z