Getting Data In

What does cofilter actually do?

SplunkTrust
SplunkTrust

I ran across the cofilter command and wanted to review some output results from it to see if it might be useful. It doesn't produce any results on my test data, so maybe I don't understand its purpose.

The docs are at https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Cofilter

Here's some run-anywhere test data that creates test records with an animal and a color.

| makeresults 
| eval mydata="dog,green cat,green cat,orange duck,yellow donkey,green dog,green dog,green dog,blue dog,yellow dog,grey wolf,black parakeet,yellow cat,yellow cat,green dog,green donkey,green" 
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata 
| eval animal=mvindex(mydata,0), color=mvindex(mydata,1) 
| table animal color 

... which produces records with the values as expected, but the following cofilter command has no output...

| cofilter animal color

So, what am I missing, here?


note - the "ask a question" question interface didn't allow cofilter as a tag... if anyone has admin rights to add a tag, please replace filter with cofilter.

Tags (1)
1 Solution

Super Champion

i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.

basic syntax: sourcetype=billing|cofilter user purchaseStatus

table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1

i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.

View solution in original post

0 Karma

Esteemed Legend

You should post a comment to the docs page that it is not clear and reference the URL for this question.

0 Karma

Esteemed Legend

It may be somewhat related to contingency:
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Contingency

Try adding this instead:

| contingency animal color

Super Champion

i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.

basic syntax: sourcetype=billing|cofilter user purchaseStatus

table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1

i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Can you put a table command before the cofilter and see what happens? I can't believe that I can't get any output from a simple command.

BTW, did you mean you had 9 users or 11 users- 8 users with just billed and 1 with billed and disputed, or 9 with just billed, 1 with just disputed, and 1 with both?

0 Karma

Super Champion

i have 9 distinct users, they all had a billing status, one had a dispute status, and one had both (a dispute is like a return). It looked like it split it out by saying "Here are how many users had this value, here are how many had this other value, and here are how many had both values".

if I put |table user purchaseStatus before my cofilter command, it doesn't work. Bizarre. I think a ticket for enhanced documentation would help.

SplunkTrust
SplunkTrust

That matches my experience. Just to be clear, are there 9 records (8 records with "billed" and 1 with both "billed" and "disputed" as values in a single mv) or are there ten records (9 with "billed" and 1 with "disputed")?

Hmmm. Try | fields user purchaseStatus

0 Karma

Super Champion
| fields user purchaseStatus works. 

my data isn't MV, so there are 9 billed and 1 disputed.

0 Karma