Getting Data In

What does cofilter actually do?

DalJeanis
Legend

I ran across the cofilter command and wanted to review some output results from it to see if it might be useful. It doesn't produce any results on my test data, so maybe I don't understand its purpose.

The docs are at https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Cofilter

Here's some run-anywhere test data that creates test records with an animal and a color.

| makeresults 
| eval mydata="dog,green cat,green cat,orange duck,yellow donkey,green dog,green dog,green dog,blue dog,yellow dog,grey wolf,black parakeet,yellow cat,yellow cat,green dog,green donkey,green" 
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval animal=mvindex(mydata,0), color=mvindex(mydata,1) 
| table animal color 

... which produces records with the values as expected, but the following cofilter command has no output...

| cofilter animal color

So, what am I missing, here?


note - the "ask a question" question interface didn't allow cofilter as a tag... if anyone has admin rights to add a tag, please replace filter with cofilter.

Tags (1)
1 Solution

cmerriman
Super Champion

i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.

basic syntax: sourcetype=billing|cofilter user purchaseStatus

table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1

i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.

View solution in original post

0 Karma

woodcock
Esteemed Legend

You should post a comment to the docs page that it is not clear and reference the URL for this question.

0 Karma

woodcock
Esteemed Legend

It may be somewhat related to contingency:
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Contingency

Try adding this instead:

| contingency animal color

cmerriman
Super Champion

i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.

basic syntax: sourcetype=billing|cofilter user purchaseStatus

table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1

i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.

0 Karma

DalJeanis
Legend

Can you put a table command before the cofilter and see what happens? I can't believe that I can't get any output from a simple command.

BTW, did you mean you had 9 users or 11 users- 8 users with just billed and 1 with billed and disputed, or 9 with just billed, 1 with just disputed, and 1 with both?

0 Karma

cmerriman
Super Champion

i have 9 distinct users, they all had a billing status, one had a dispute status, and one had both (a dispute is like a return). It looked like it split it out by saying "Here are how many users had this value, here are how many had this other value, and here are how many had both values".

if I put |table user purchaseStatus before my cofilter command, it doesn't work. Bizarre. I think a ticket for enhanced documentation would help.

DalJeanis
Legend

That matches my experience. Just to be clear, are there 9 records (8 records with "billed" and 1 with both "billed" and "disputed" as values in a single mv) or are there ten records (9 with "billed" and 1 with "disputed")?

Hmmm. Try | fields user purchaseStatus

0 Karma

cmerriman
Super Champion
| fields user purchaseStatus works. 

my data isn't MV, so there are 9 billed and 1 disputed.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...