I ran across the cofilter
command and wanted to review some output results from it to see if it might be useful. It doesn't produce any results on my test data, so maybe I don't understand its purpose.
The docs are at https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Cofilter
Here's some run-anywhere test data that creates test records with an animal and a color.
| makeresults
| eval mydata="dog,green cat,green cat,orange duck,yellow donkey,green dog,green dog,green dog,blue dog,yellow dog,grey wolf,black parakeet,yellow cat,yellow cat,green dog,green donkey,green"
| makemv mydata
| mvexpand mydata
| makemv delim="," mydata
| eval animal=mvindex(mydata,0), color=mvindex(mydata,1)
| table animal color
... which produces records with the values as expected, but the following cofilter command has no output...
| cofilter animal color
So, what am I missing, here?
note - the "ask a question" question interface didn't allow cofilter
as a tag... if anyone has admin rights to add a tag, please replace filter with cofilter.
i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.
basic syntax: sourcetype=billing|cofilter user purchaseStatus
table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1
i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.
You should post a comment to the docs page that it is not clear and reference the URL for this question.
It may be somewhat related to contingency
:
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Contingency
Try adding this instead:
| contingency animal color
i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.
basic syntax: sourcetype=billing|cofilter user purchaseStatus
table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1
i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.
Can you put a table
command before the cofilter
and see what happens? I can't believe that I can't get any output from a simple command.
BTW, did you mean you had 9 users or 11 users- 8 users with just billed and 1 with billed and disputed, or 9 with just billed, 1 with just disputed, and 1 with both?
i have 9 distinct users, they all had a billing status, one had a dispute status, and one had both (a dispute is like a return). It looked like it split it out by saying "Here are how many users had this value, here are how many had this other value, and here are how many had both values".
if I put |table user purchaseStatus
before my cofilter
command, it doesn't work. Bizarre. I think a ticket for enhanced documentation would help.
That matches my experience. Just to be clear, are there 9 records (8 records with "billed" and 1 with both "billed" and "disputed" as values in a single mv) or are there ten records (9 with "billed" and 1 with "disputed")?
Hmmm. Try | fields user purchaseStatus
| fields user purchaseStatus works.
my data isn't MV, so there are 9 billed and 1 disputed.