The arules command looks for associative relationships between field values. The command returns a table with the following columns: Given fields, Implied fields, Strength, Given fields support, and Implied fields support. The given and implied field values are the values of the fields you supply. The Strength value indicates the relationship between (among) the given and implied field values.
Implements the arules algorithm as discussed in Michael Hahsler, Bettina Gruen and Kurt Hornik (2012). arules: Mining Association Rules and Frequent Itemsets. R package version 1.0-12. This algorithm is similar to the algorithms used for online shopping websites which suggest related items based on what items other customers have viewed or purchased.
arules [<arules-option>... ] <field-list>...
- Syntax: <field> <field> ...
- Description: The list of field names. At least two fields must be specified.
- Syntax: <support> | <confidence>
- Description: Options for arules command.
- Syntax: sup=<int>
- Description: Specify a support limit. Associations with computed support levels smaller than this value are not included in the output results. The support option must be a positive integer.
- Default: 3
- Syntax: conf=<float>
- Description: Specify a confidence limit. Associations with a confidence (expressed as
Strengthfield) are not included in the output results. Must be between 0 and 1.
- Default: .5
arules command is a streaming command. See Command types.
Example 1: Search for the likelihood that the fields are related.
... | arules field1 field2 field3
... | arules sup=3 conf=.6 field1 field2 field3
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2106, 8.2.2107, 8.2.2105, 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release), 8.2.2202, 8.2.2203