Solved: Showing rows and columns when they do not exist in...

aelliott · ‎02-13-2014

I have a spreadsheet with a list of locations.
I have a list of Categories.
I have events of incidents with an office location on them that is the same as the office location on the spreadsheet,and categories that also are the same as the spreadsheet.

Data:
Incident1 Office A Category A
Incident2 Office A Category A
Incident3 Office B Category B
Incident4 Office D Category B

Spreadsheet Example:
Office A
Office B
Office C
Office D

I'm looking to make a search that has this as the results:
Category A Category B Category C
Office A 2 0 0
Office B 0 1 0
Office C 0 0 0
Office D 0 1 0

I was thinking of importing the list of Categories and locations as events and going from there, but the real issue here is how do I get Office C to show up as well as Category C in this scenario, when there are no incidents for them.

Here is what I have currently, but it does not show Category C or Office C as they do not exist in the data.
index=myIndex | stats count by Office Category | xyseries Office Category count | fillnull value=0

aelliott · ‎02-14-2014

I've figured this out , it was a lot of fun 🙂

View solution in original post

aelliott · ‎02-14-2014

I've figured this out , it was a lot of fun 🙂

Showing rows and columns when they do not exist in the event data

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout