Look for associations, statistical correlations, and differences in search results
This topic discusses transforming commands that find associations, similarities, and differences among field values in your search results.
The associate command
The associate command identifies events that are associated with each other through field/field value pairs. For example, if one event has a referer_domain
of "http://www.google.com/" and another event has a referer_domain
with the same URL value, then they are associated.
"Tune" the results gained by the associate
command with the supcnt, supfreq, and improv arguments. For more information about these arguments see the associate command reference topic.
Example: Search the web access sourcetypes and identify events that share at least three field/field-value pair associations.
sourcetype=access* | associate supcnt=3
The correlate command
The correlate command calculates the statistical correlation between fields. It uses the cocur
operation to calculate the percentage of times that two fields exist in the same set of results.
Example:' Search across all events where eventtype=goodaccess
, and calculates the co-occurrence correlation between all of those fields.
eventtype=goodaccess | correlate type=cocur
The diff command
Use the diff command to compare the differences between two search results. By default it compares the raw text of the search results you select, unless you use the attribute argument to focus on specific field attributes.
Example: Compare the IP addresses for the 44th and 45th events returned in the search.
eventtype=goodaccess | diff pos1=44 pos2=45 attribute=ip
Create reports that display summary statistics | Build a chart of multiple data series |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!