Splunk Search

Correlate multivalues and count each relation to other values

Lithyum
Engager

Hi.

I need help in understanding how this can be done:

The application's log have a multivalue like this:

<somedata> [field1=A,B,C] <someotherdata>
<somedata> [field1=A,C] <someotherdata>
<somedata> [field1=E,F] <someotherdata>

And I need to find correlations between these values.

I'm looking to have something like:

field1mv  inConjunctionWith  count
A <all> 2
 A C 2
 A B 1
  B <all> 1
B A 1
C <all> 2
C A 2
C B 1
 E <all> 1
E F 1
F <all> 1
F E 1

 

This way it'll be possible to identify that A+C, and E+F, have the same occurrences and probably are always together; also it'll show which values are the most common.

 

I feel I should be able to pull this off with mvmap but can't make my brain produce the actual process to it.

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval inConjunctionWith=field1
| mvexpand inConjunctionWith
| mvexpand field1
| stats count by field1 inConjunctionWith
| eval inConjunctionWith=if(inConjunctionWith=field1,"<all>",inConjunctionWith)
| sort 0 field1 -count inConjunctionWith

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval inConjunctionWith=field1
| mvexpand inConjunctionWith
| mvexpand field1
| stats count by field1 inConjunctionWith
| eval inConjunctionWith=if(inConjunctionWith=field1,"<all>",inConjunctionWith)
| sort 0 field1 -count inConjunctionWith

Lithyum
Engager

Thanks ITWhisperer.

The mvexpand was the kicker! :grinning_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...