Splunk Search

Contingency table using dictated column fields

totho
New Member

I am currently looking to make a table that shows how variables from 5 fields (the first five rows that splunk says have the biggest count) end up being spread into 5 new fields. As of now, I have maxcol and maxrow set to 5. I know the 5 new fields that I want to specifically look at. Is there any way to call these fields out when I am doing the search. My current search looks like this

index=name |'data' | contingency group newgroup maxcols=5 maxrows=5 usetotal=false

I was hoping there would be some way to replace the maxcols=5 with a variable like col1=fielda col2=fieldb etc....

0 Karma

woodcock
Esteemed Legend

Like this:

index=name AND newgroup IN("value1", "value2", "value3", "value4", "value5")
| 'data'
| contingency group newgroup maxrows=5 usetotal=false
| table group value1 value2 value3 value4 value5

Here is a run-anywhere example:

index=_* AND sourcetype IN("splunkd", "splunk_resource_usage", "audittrail", "splunkd_access", "kvstore") AND date_minute IN("10", "20", "30", "40", "50")
| contingency sourcetype date_minute
0 Karma

to4kawa
Ultra Champion

Hello
Please provide a sample of the current results and the expected results.

Maybe you can do it with untable

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...