Look for associations, statistical correlations, and differences in search results
This topic discusses transforming commands that find associations, similarities, and differences among field values in your search results.
The associate command
The associate command identifies events that are associated with each other through field/field value pairs. For example, if one event has a
referer_domain of "http://www.google.com/" and another event has a
referer_domain with the same URL value, then they are associated.
"Tune" the results gained by the
associate command with the supcnt, supfreq, and improv arguments. For more information about these arguments see the associate command reference topic.
Example: Search the web access sourcetypes and identify events that share at least three field/field-value pair associations.
sourcetype=access* | associate supcnt=3
The correlate command
The correlate command calculates the statistical correlation between fields. It uses the
cocur operation to calculate the percentage of times that two fields exist in the same set of results.
Example:' Search across all events where
eventtype=goodaccess, and calculates the co-occurrence correlation between all of those fields.
eventtype=goodaccess | correlate type=cocur
The diff command
Use the diff command to compare the differences between two search results. By default it compares the raw text of the search results you select, unless you use the attribute argument to focus on specific field attributes.
Example: Compare the IP addresses for the 44th and 45th events returned in the search.
eventtype=goodaccess | diff pos1=44 pos2=45 attribute=ip
Create reports that display summary statistics
Build a chart of multiple data series
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release), 9.0.2303
Feedback submitted, thanks!