Solved: Are counts form the cofilter command "symmetric"?

JacobPN · ‎11-29-2017

Hi all,

As I understand it, the cofilter command counts how many times pairs of items occur. If the same user views item A ánd item B then that is counted as a pair. these pairs are counted and in this way we can for example find what items are viewed together more often. See: https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Cofilter

The command makes a table with columns:
Item 1, Item 1 user count, Item 2, Item 2 user count, Pair count

If my understanding is correct, this should mean that the resulting dataset should be completely symmetric under the interchange of the labels 1 and 2. However, if I do for example:

...
| cofilter user item
| stats dc("Item 1") dc("Item 2")

I get a different number of unique items in for the two columns. So what is the flaw in my understanding of the command? Or is there some "running out of memory"-issue that I'm not aware of?

Thank you!
Jacob

JacobPN · ‎11-30-2017

I think I found the answer to my own question:

The command is NOT symmetric. Instead every pair occurs only once. Seems logical thing in hindsight..

In other words, to find every item that users have viewed together with e.g. item 34, the correct search is

...
| cofilter user item
| search "Item 1" = 34 OR "Item 2" = 34

View solution in original post

JacobPN · ‎11-30-2017

I think I found the answer to my own question:

The command is NOT symmetric. Instead every pair occurs only once. Seems logical thing in hindsight..

In other words, to find every item that users have viewed together with e.g. item 34, the correct search is

...
| cofilter user item
| search "Item 1" = 34 OR "Item 2" = 34

Are counts form the cofilter command "symmetric"?

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!