Question about analyzefields search command

briang67 · ‎10-29-2010

The analyzefields seems to be interesting in its ability to correlate across multiple fields, but I cannot determine what the output is actually telling me. I see four columns that are returned in a table: count, cocur, acc and balacc.

It looks like count is the number of occurrences of the field in my data set. I'm at a loss for the other columns. The documentation does not describe the resulting output. http://www.splunk.com/base/Documentation/latest/SearchReference/Af

Any stats experts out there?

Thank you

steveyz · ‎01-11-2011

cocur is the cocurrence of the field versus the classfield. Basically it is 1 if field exists in every event where classfield exists.

acc is the accuracy in predicting the value of the classfield using the value of the field, using a multi-class guassian maximal likelihood estimation. This is only valid for numerical fields.

balacc is the "balanced accuracy", which is basically just the accuracy adjusted for the distribution of values of the classfield. Basically, a non-weighted average of the accuracies in predicting each value of the classfield. Again this is only valid for numerical fields.

sophy · ‎01-11-2011

0

thank you, steveyz. i've added this information to the docs.

Question about analyzefields search command

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?