Documentation > Splunk > Search Reference > associate

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

associate

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

associate

Synopsis

Identifies correlations between fields.

Syntax

associate [associate-option]* [field-list]

Arguments

Description

Searches for relationships between pairs of fields. More specifically, this command tries to identify cases where the entropy of field1 decreases significantly based on the condition of field2=value2. field1 is known as the target key and field2 the reference key and value2 the reference value. If a list of fields is provided, analysis will be restricted to only those fields. By default all fields are used.

Examples

Example 1: Return results associated with each other (that have at least 3 references to each other).

... | associate supcnt=3

Example 2: Analyze all events from host "reports" and return results associated with each other.

host="reports" | associate supcnt=50 supfreq=0.2 improv=0.5

Example 3: Analyze all fields to find a relationship.

... | associate


See also

correlate, contingency

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.3/SearchReference/Associate"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!