Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

cofilter

Description

Use this command to determine how many times field1 and field2 values occur together.

This command implements one step in a collaborative filtering analysis for making recommendations. Given a user field (field1) and an item field (field2), it finds how common each pair of items is. That is, it computes sum(A has X and A has Y) where X and Y are distinct items and A is each distinct user.

Syntax

cofilter <field1> <field2>

Required arguments

field1
Syntax: <field>
Description: The name of field.
field2
Syntax: <field>
Description: The name of a field.


Usage

The cofilter command is a transforming command. See Command types.

Examples

Example 1:

Find the cofilter for user and item. The user field must be specified first and followed by the item field. The output is event for each pair of items with: the first item and its popularity, the second item and its popularity, and the popularity of that pair of items.

... | cofilter user item

See also

associate, correlate

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the cofilter command.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:SearchReference:Cofilter:4.1&oldid=1056750"
PREVIOUS
cluster 		  NEXT
collect

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.8, 6.4.10, 6.4.11, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 8.0.0, 6.4.7, 6.4.9, 6.5.0, 6.5.1

Comments

I stand by my earlier unaddressed comment. Others are confused, too:
https://answers.splunk.com/answers/593836/are-counts-form-the-cofilter-command-symmetric.html
Try this run-anywhere; it does NOTHING:
| makeresults
| eval user="a b c a b c a b c a b c a b c a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count AS item
| eval item = item % 5
| multireport
[ cofilter user item
| eval DATASET="cofilter" ]
[ stats dc(item) BY user
| eval DATASET="itemBYuser" ]
[ stats dc(user) BY item
| eval DATASET="userBYitem" ]

Woodcock
November 29, 2017

Based on the docs for both commands, I believe that `contingency` should be in the `see also` section. I am not sure because I cannot get `cofilter` to work in some test. Perhaps the `cofilter` command doesn't work or is deprecated?

Woodcock
April 8, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters