- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Contingency table using dictated column fields
totho
New Member
11-15-2019
01:52 PM
I am currently looking to make a table that shows how variables from 5 fields (the first five rows that splunk says have the biggest count) end up being spread into 5 new fields. As of now, I have maxcol and maxrow set to 5. I know the 5 new fields that I want to specifically look at. Is there any way to call these fields out when I am doing the search. My current search looks like this
index=name |'data' | contingency group newgroup maxcols=5 maxrows=5 usetotal=false
I was hoping there would be some way to replace the maxcols=5 with a variable like col1=fielda col2=fieldb etc....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-17-2019
02:40 PM
Like this:
index=name AND newgroup IN("value1", "value2", "value3", "value4", "value5")
| 'data'
| contingency group newgroup maxrows=5 usetotal=false
| table group value1 value2 value3 value4 value5
Here is a run-anywhere example:
index=_* AND sourcetype IN("splunkd", "splunk_resource_usage", "audittrail", "splunkd_access", "kvstore") AND date_minute IN("10", "20", "30", "40", "50")
| contingency sourcetype date_minute
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-15-2019
10:47 PM
Hello
Please provide a sample of the current results and the expected results.
Maybe you can do it with untable
