Contingency command in splunk

Introduction :

A contingency table, sometimes called a two-way frequency table, is a tabular mechanism with at least two rows and two columns used in statistics to present categorical data in terms of frequency counts.

Definition:

Splunk contingency command is used to build a contingency table which is used to analyze information between fields. If there is contingency,fields are dependent on each other whereas  if there is no contingency,then  fields are independent.

Syntax:

contingency [<contingency-options>…] <field1> <field2>

<contingency-options> : {<maxopts> | <mincover> | <usetotal> | <totalstr>}

<field> : { field name.}

Contingency options:

Maxrows=<int> – It specifies maximum numbers of rows.

<int> – Itspecifies the integer values  to limit the rows and columns .if value=0 means maximum rows and columns. Default is 1000

Maxcols=<int> – It specifies maximum numbers of columns.

Mincolcover=<num> It  shows the percentage of values per column.

Minrowcover=<num> – It  shows the percentage of values per row.

Usetotal=<bool> – <bool> denotes Boolean character (True or False).

 If Usetotal=True ; adds rows, columns and complete totals in the output, default is True.

Totalstr=<field> – <field> denotes name of the field ,totalstr specifies rows and columns of the total’s

Example 1:

Query– index=”main” source=”supermarket (2).csv” sourcetype=”csv” | contingency Branch,City

Explanation:

In index main there is superstore data we are using contingency command to see if there is any relationship between Field Branch and Field City. Field branch has three values A,B and C. Field City has three values Yangon, Mandalay and Naypyitaw.

339 is the count of events that contain the two values of the field in  first  row and first column combination, that is when branch is A and city is Yangon their combination value is 339. Similarly, when branch is A and city is Mandalay or Napyitaw there combination value is zero.

1 is the count of events that contain the two values of the field in the second row and first column combination, that is when branch is B and city is Yangon their combination value is 1. Similarly, when branch is B and City is Mandalay their combination value is 332.when branch is B and City is Naypyitaw their combination value is 333.

328 is the count of events that contain the two values of the field in the third row and third column combination, that is when branch is C and city is Naypyitaw their combination value is 328. Similarly, when branch is C and city is Mandalay or Napyitaw there combination value is zero.

Contingency command displays row total and column total which is 1000 that is grand total of number of events present in this table.

Example 2:

Query – index=”main” source=”supermarket (2).csv” sourcetype=”csv”| contingency Product_line Payment  maxrows=3  maxcols=3 usetotal=false

  Explanation:

In index main there is superstore data we are using contingency command to see if there is any relationship between Field Product line and Field Payment.

maxrows=3 and maxcols=3 means it will display three rows/columns in table.usetotal=false means it will not show total values of columns and row. maxrows=3 will show 3 highest values in Product_line field similarly maxcols=3 will show 3 highest value in Payment filed.

When Product line=Fashion accessories its combination value is 65 when Payment=Ewallet,57 when payment=Cash and 56 when Payment=Credit card.

When Product line=Food and beverages its combination value is 56 when Payment=Ewallet,57 when payment=Cash and 61 when Payment=Credit card.

When Product line=Electronics accessories its combination value is 53 when Payment=Ewallet,7 1when payment=Cash and 46 when Payment=Credit card

If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks.

| Happy Splunking 😉