Related Answers
Download topic as PDF
cofilter
Description
Use this command to determine how many times field1 and field2 values occur together.
This command implements one step in a collaborative filtering analysis for making recommendations. Given a user field (field1) and an item field (field2), it finds how common each pair of items is. That is, it computes sum(A has X and A has Y) where X and Y are distinct items and A is each distinct user.
Syntax
cofilter <field1> <field2>
Required arguments
- field1
- Syntax: <field>
- Description: The name of field.
- field2
- Syntax: <field>
- Description: The name of a field.
Usage
The cofilter command is a transforming command. See Command types.
Examples
Example 1
Find the cofilter for user and item. The user field must be specified first and followed by the item field. The output is an event for each pair of items with: the first item and its popularity, the second item and its popularity, and the popularity of that pair of items.
Let's start with a simple search to create a few results:
| makeresults
| eval user="a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count
The results appear on the Statistics tab and look something like this:
| _time | count | user |
|---|---|---|
| 2020-02-19 21:17:54 | 1 | a |
| 2020-02-19 21:17:54 | 2 | b |
| 2020-02-19 21:17:54 | 3 | c |
| 2020-02-19 21:17:54 | 4 | a |
| 2020-02-19 21:17:54 | 5 | b |
| 2020-02-19 21:17:54 | 6 | c |
| 2020-02-19 21:17:54 | 7 | a |
| 2020-02-19 21:17:54 | 8 | b |
| 2020-02-19 21:17:54 | 9 | c |
The eval command with the modulus ( % ) operator is used to create the item field:
| makeresults
| eval user="a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count
| eval item = count % 5
The results look something like this:
| _time | count | item | user |
|---|---|---|---|
| 2020-02-19 21:17:54 | 1 | 1 | a |
| 2020-02-19 21:17:54 | 2 | 2 | b |
| 2020-02-19 21:17:54 | 3 | 3 | c |
| 2020-02-19 21:17:54 | 4 | 4 | a |
| 2020-02-19 21:17:54 | 5 | 0 | b |
| 2020-02-19 21:17:54 | 6 | 1 | c |
| 2020-02-19 21:17:54 | 7 | 2 | a |
| 2020-02-19 21:17:54 | 8 | 3 | b |
| 2020-02-19 21:17:54 | 9 | 4 | c |
Add the cofilter command to the search to determine for each pair of item values, how many user values occurred with each.
| makeresults
| eval user="a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count
| eval item = count % 5
| cofilter user item
The results look something like this:
| Item 1 | Item 1 user count | Item 2 | Item 2 user count | Pair count |
|---|---|---|---|---|
| 1 | 2 | 2 | 2 | 1 |
| 1 | 2 | 3 | 2 | 1 |
| 1 | 2 | 4 | 2 | 2 |
| 2 | 2 | 3 | 2 | 1 |
| 2 | 2 | 4 | 2 | 1 |
| 2 | 2 | 0 | 1 | 1 |
| 3 | 2 | 4 | 2 | 1 |
| 3 | 2 | 0 | 1 | 1 |
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the cofilter command.
|
PREVIOUS cluster |
NEXT collect |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.0.1, 6.4.9, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 6.5.10, 6.5.2, 6.5.3
Feedback submitted, thanks!