analyzefields
Description
Using <field> as a discrete random variable, this command analyzes all numerical fields to determine the ability for each of those fields to predict
the value of the classfield
. It determines the stability of the relationship between values in the target classfield
and numeric values in other fields.
As a reporting command, analyzefields
consumes all input results and generates one row for each numeric field in the output results. The values in that row indicate the performance of the analyzefields
command at predicting the value of a classfield
. For each event, if the conditional distribution of the numeric field with the highest z-probability based on matches the actual class, the event is counted as accurate. The highest z-probablility is based on the classfield
.
Syntax
analyzefields classfield=<field>
You can use the abbreviation af
for the analyzefields
command.
The analyzefields
command returns a table with five columns.
Field | Description |
---|---|
field
|
The name of a numeric field from the input search results. |
count
|
The number of occurrences of the field in the search results. |
cocur
|
The co-occurrence of the field. In the results where classfield is present, this is the ratio of results in which field is also present. The cocur is 1 if the field exists in every event that has a classfield .
|
acc
|
The accuracy in predicting the value of the classfield , using the value of the field. This the ratio of the number of accurate predictions to the total number of events with that field . This argument is valid only for numerical fields.
|
balacc
|
The balanced accuracy is the non-weighted average of the accuracies in predicted each value of the classfield . This is only valid for numerical fields.
|
Required arguments
- classfield
- Syntax: classfield=<field>
- Description: For best results,
classfield
should have two distinct values, although multiclass analysis is possible.
Examples
Example 1:
Analyze the numerical fields to predict the value of "is_activated".
... | analyzefields classfield=is_activated
See also
addtotals | anomalies |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14
Feedback submitted, thanks!