Look for associations, statistical correlations, and differences in search results
The associate reporting command identifies events that are associated with each other through field/field value pairs. For example, if one event has a
referer_domain of "http://www.google.com/" and another event has a
referer_domain with the same URL value, then they are associated.
You can "tune" the results gained by the
associate command with the supcnt, supfreq, and improv arguments. For more information about these arguments see the Associate page in the Search Reference.
For example, this report searches the access sourcetypes and identifies events that share at least three field/field-value pair associations:
sourcetype=access* | associate supcnt=3
The correlate reporting command calculates the statistical correlation between fields. It uses the
cocur operation to calculate the percentage of times that two fields exist in the same set of results.
The following report searches across all events where
eventtype=goodaccess, and calculates the co-occurrence correlation between all of those fields.
eventtype=goodaccess | correlate type=cocur
Use the diff reporting command to compare the differences between two search results. By default it compares the raw text of the search results you select, unless you use the attribute argument to focus on specific field attributes.
For example, this report looks at the 44th and 45th events returned in the search and compares their ip address values:
eventtype=goodaccess | diff pos1=44 pos2=45 attribute=ip
Create reports that display summary statistics
Build a chart of multiple data series
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18