
cofilter
Description
Use this command to determine how many times field1 and field2 values occur together.
This command implements one step in a collaborative filtering analysis for making recommendations. Given a user field (field1
) and an item field (field2
), it finds how common each pair of items is. That is, it computes sum(A has X and A has Y) where X and Y are distinct items and A is each distinct user.
Syntax
cofilter <field1> <field2>
Required arguments
- field1
- Syntax: <field>
- Description: The name of field.
- field2
- Syntax: <field>
- Description: The name of a field.
Usage
The cofilter
command is a transforming command. See Command types.
Examples
Example 1:
Find the cofilter for user
and item
. The user
field must be specified first and followed by the item
field. The output is event for each pair of items with: the first item and its popularity, the second item and its popularity, and the popularity of that pair of items.
... | cofilter user item
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the cofilter command.
PREVIOUS cluster |
NEXT collect |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.10, 6.4.11, 6.5.0, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1, 6.4.9, 6.5.1, 6.5.10, 6.5.1612 (Splunk Cloud only)
Comments
Based on the docs for both commands, I believe that `contingency` should be in the `see also` section. I am not sure because I cannot get `cofilter` to work in some test. Perhaps the `cofilter` command doesn't work or is deprecated?
I stand by my earlier unaddressed comment. Others are confused, too:
https://answers.splunk.com/answers/593836/are-counts-form-the-cofilter-command-symmetric.html
Try this run-anywhere; it does NOTHING:
| makeresults
| eval user="a b c a b c a b c a b c a b c a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count AS item
| eval item = item % 5
| multireport
[ cofilter user item
| eval DATASET="cofilter" ]
[ stats dc(item) BY user
| eval DATASET="itemBYuser" ]
[ stats dc(user) BY item
| eval DATASET="userBYitem" ]