Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are counts form the cofilter command "symmetric"?

JacobPN
Path Finder
‎11-29-2017 01:59 PM

Hi all,

As I understand it, the cofilter command counts how many times pairs of items occur. If the same user views item A ánd item B then that is counted as a pair. these pairs are counted and in this way we can for example find what items are viewed together more often. See: https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Cofilter

The command makes a table with columns:
Item 1, Item 1 user count, Item 2, Item 2 user count, Pair count

If my understanding is correct, this should mean that the resulting dataset should be completely symmetric under the interchange of the labels 1 and 2. However, if I do for example:

...
| cofilter user item
| stats dc("Item 1") dc("Item 2")

I get a different number of unique items in for the two columns. So what is the flaw in my understanding of the command? Or is there some "running out of memory"-issue that I'm not aware of?

Thank you!
Jacob

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JacobPN
Path Finder
‎11-30-2017 04:43 AM

I think I found the answer to my own question:

The command is NOT symmetric. Instead every pair occurs only once. Seems logical thing in hindsight..

In other words, to find every item that users have viewed together with e.g. item 34, the correct search is

...
| cofilter user item
| search "Item 1" = 34 OR "Item 2" = 34

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JacobPN
Path Finder
‎11-30-2017 04:43 AM

I think I found the answer to my own question:

The command is NOT symmetric. Instead every pair occurs only once. Seems logical thing in hindsight..

In other words, to find every item that users have viewed together with e.g. item 34, the correct search is

...
| cofilter user item
| search "Item 1" = 34 OR "Item 2" = 34
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...