Contingency table using dictated column fields

totho · ‎11-15-2019

I am currently looking to make a table that shows how variables from 5 fields (the first five rows that splunk says have the biggest count) end up being spread into 5 new fields. As of now, I have maxcol and maxrow set to 5. I know the 5 new fields that I want to specifically look at. Is there any way to call these fields out when I am doing the search. My current search looks like this

index=name |'data' | contingency group newgroup maxcols=5 maxrows=5 usetotal=false

I was hoping there would be some way to replace the maxcols=5 with a variable like col1=fielda col2=fieldb etc....

woodcock · ‎11-17-2019

Like this:

index=name AND newgroup IN("value1", "value2", "value3", "value4", "value5")
| 'data'
| contingency group newgroup maxrows=5 usetotal=false
| table group value1 value2 value3 value4 value5

Here is a run-anywhere example:

index=_* AND sourcetype IN("splunkd", "splunk_resource_usage", "audittrail", "splunkd_access", "kvstore") AND date_minute IN("10", "20", "30", "40", "50")
| contingency sourcetype date_minute

to4kawa · ‎11-15-2019

Hello
Please provide a sample of the current results and the expected results.

Maybe you can do it with untable

Contingency table using dictated column fields

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

Contingency table using dictated column fields

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar