analyzefields
analyzefields
Synopsis
Analyzes numerical fields for their ability to predict another discrete field.
Syntax
af | analyzefields classfield=field
Required arguments
- classfield
- Syntax: classfield=<field>
- Description: For best results, classfield should have 2 distinct values, although multi-class analysis is possible.
Description
Using field as a discrete random variable, analyze all *numerical* fields to determine the ability for each of those fields to predict the value of the classfield. For best results, classfield should have 2 distinct values, although multi-class analysis is possible.
The analyzefields command returns a table with five columns: field, count, cocur, acc, and balacc.
-
fieldis the name of the field in the search results. -
countis the number of occurrences of the field in the search results. -
cocuris thecocurrenceof the field versus theclassfield. The cocur is 1 iffieldexists in every event that hasclassfield. -
accis the accuracy in predicting the value of theclassfieldusing the value of the field. This is only valid for numerical fields. -
balacc, or "balanced accuracy", is the non-weighted average of the accuracies in predicted each value of theclassfield. This is only valid for numerical fields.
Examples
Example 1: Analyze the numerical fields to predict the value of "is_activated".
... | af classfield=is_activatedSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the analyzefields command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.