
cofilter
Description
Use this command to determine how many times field1 and field2 values occur together.
This command implements one step in a collaborative filtering analysis for making recommendations. Given a user field (field1
) and an item field (field2
), it finds how common each pair of items is. That is, it computes sum(A has X and A has Y) where X and Y are distinct items and A is each distinct user.
Syntax
cofilter <field1> <field2>
Required arguments
- field1
- Syntax: <field>
- Description: The name of field.
- field2
- Syntax: <field>
- Description: The name of a field.
Usage
The cofilter
command is a transforming command. See Command types.
Examples
Example 1:
Find the cofilter for user
and item
. The user
field must be specified first and followed by the item
field. The output is event for each pair of items with: the first item and its popularity, the second item and its popularity, and the popularity of that pair of items.
... | cofilter user item
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the cofilter command.
PREVIOUS cluster |
NEXT collect |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.9, 6.4.10, 6.4.11, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 6.4.8, 6.5.0, 6.5.1, 6.5.10
Comments
Based on the docs for both commands, I believe that `contingency` should be in the `see also` section. I am not sure because I cannot get `cofilter` to work in some test. Perhaps the `cofilter` command doesn't work or is deprecated?
I stand by my earlier unaddressed comment. Others are confused, too:
https://answers.splunk.com/answers/593836/are-counts-form-the-cofilter-command-symmetric.html
Try this run-anywhere; it does NOTHING:
| makeresults
| eval user="a b c a b c a b c a b c a b c a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count AS item
| eval item = item % 5
| multireport
[ cofilter user item
| eval DATASET="cofilter" ]
[ stats dc(item) BY user
| eval DATASET="itemBYuser" ]
[ stats dc(user) BY item
| eval DATASET="userBYitem" ]