Using <field> as a discrete random variable, this command analyzes all numerical fields to determine the ability for each of those fields to
predict the value of the
classfield. It determines the stability of the relationship between values in the target
classfield and numeric values in other fields.
As a reporting command,
analyzefields consumes all input results and generates one row for each numeric field in the output results. The values in that row indicate the performance of the
analyzefields command at predicting the value of a
classfield. For each event, if the conditional distribution of the numeric field with the highest z-probability based on matches the actual class, the event is counted as accurate. The highest z-probablility is based on the
You can use the abbreviation
af for the
analyzefields command returns a table with five columns.
||The name of a numeric field from the input search results.|
||The number of occurrences of the field in the search results.|
||The co-occurrence of the field. In the results where |
||The accuracy in predicting the value of the |
||The balanced accuracy is the non-weighted average of the accuracies in predicted each value of the |
- Syntax: classfield=<field>
- Description: For best results,
classfieldshould have two distinct values, although multiclass analysis is possible.
Analyze the numerical fields to predict the value of "is_activated".
... | analyzefields classfield=is_activated
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2105, 8.2.2106, 8.2.2107, 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)