cofilter
Description
Use this command to determine how many times a value in <field1> and a value in <field2> occur together. For example, if you have a field that contains user IDs and another field that contains items names, this command finds how common each pair of user and item occur.
This command implements one step in a collaborative filtering analysis for making recommendations.
Syntax
cofilter <field1> <field2>
Required arguments
- field1
- Syntax: <field>
- Description: The name of field.
- field2
- Syntax: <field>
- Description: The name of a field.
Usage
The cofilter command is a transforming command. See Command types.
Examples
Example 1
Find the cofilter for user and item. The user field must be specified first and followed by the item field. The output is an event for each pair of items with: the first item and its popularity, the second item and its popularity, and the popularity of that pair of items.
Let's start with a simple search to create a few results:
| makeresults
| eval user="a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count
The results appear on the Statistics tab and look something like this:
| _time | count | user |
|---|---|---|
| 2020-02-19 21:17:54 | 1 | a |
| 2020-02-19 21:17:54 | 2 | b |
| 2020-02-19 21:17:54 | 3 | c |
| 2020-02-19 21:17:54 | 4 | a |
| 2020-02-19 21:17:54 | 5 | b |
| 2020-02-19 21:17:54 | 6 | c |
| 2020-02-19 21:17:54 | 7 | a |
| 2020-02-19 21:17:54 | 8 | b |
| 2020-02-19 21:17:54 | 9 | c |
The eval command with the modulus ( % ) operator is used to create the item field:
| makeresults
| eval user="a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count
| eval item = count % 5
The results look something like this:
| _time | count | item | user |
|---|---|---|---|
| 2020-02-19 21:17:54 | 1 | 1 | a |
| 2020-02-19 21:17:54 | 2 | 2 | b |
| 2020-02-19 21:17:54 | 3 | 3 | c |
| 2020-02-19 21:17:54 | 4 | 4 | a |
| 2020-02-19 21:17:54 | 5 | 0 | b |
| 2020-02-19 21:17:54 | 6 | 1 | c |
| 2020-02-19 21:17:54 | 7 | 2 | a |
| 2020-02-19 21:17:54 | 8 | 3 | b |
| 2020-02-19 21:17:54 | 9 | 4 | c |
Add the cofilter command to the search to determine how many user values occurred with each item value,
| makeresults
| eval user="a b c a b c a b c"
| makemv user
| mvexpand user
| streamstats count
| eval item = count % 5
| cofilter user item
The results look something like this:
| Item 1 | Item 1 user count | Item 2 | Item 2 user count | Pair count |
|---|---|---|---|---|
| 1 | 2 | 2 | 2 | 1 |
| 1 | 2 | 3 | 2 | 1 |
| 1 | 2 | 4 | 2 | 2 |
| 2 | 2 | 3 | 2 | 1 |
| 2 | 2 | 4 | 2 | 1 |
| 2 | 2 | 0 | 1 | 1 |
| 3 | 2 | 4 | 2 | 1 |
| 3 | 2 | 0 | 1 | 1 |
See also
| cluster | collect |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!