Question about analyzefields search command

briang67 · ‎10-29-2010

The analyzefields seems to be interesting in its ability to correlate across multiple fields, but I cannot determine what the output is actually telling me. I see four columns that are returned in a table: count, cocur, acc and balacc.

It looks like count is the number of occurrences of the field in my data set. I'm at a loss for the other columns. The documentation does not describe the resulting output. http://www.splunk.com/base/Documentation/latest/SearchReference/Af

Any stats experts out there?

Thank you

steveyz · ‎01-11-2011

cocur is the cocurrence of the field versus the classfield. Basically it is 1 if field exists in every event where classfield exists.

acc is the accuracy in predicting the value of the classfield using the value of the field, using a multi-class guassian maximal likelihood estimation. This is only valid for numerical fields.

balacc is the "balanced accuracy", which is basically just the accuracy adjusted for the distribution of values of the classfield. Basically, a non-weighted average of the accuracies in predicting each value of the classfield. Again this is only valid for numerical fields.

sophy · ‎01-11-2011

0

thank you, steveyz. i've added this information to the docs.

Question about analyzefields search command

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...