Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the "correlate" function doing behind the scenes

spogtrop
Explorer
‎07-06-2022 07:42 AM

I am trying to use the correlate command in Splunk but keep receiving "1.0" or other numbers as the correlation value when it should not. For example, I have two columns in my table, each with values "increase" or "decrease" based on how much data it is ingesting hour to hour. When I use correlate after that, however, I get 1.0 as the correlation value when it is not 100%. So what exactly is the command correlating, is it not the table? Is it something with the indexes behind the scenes? Also, how do you use parentheses after the correlate command to input fields? All help is appreciated, I have been working on this for a while.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 08:47 AM

The correlate command looks at the fields in your data and generates a matrix showing the percentage of times each pair of fields appears.

You don't use parentheses or any other arguments with the correlate command.  If you need to specify fields, use the contingency command.

See https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Correlate and https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Contingency for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 12:38 PM

Thank you, so then can I only use the correlate command with built in fields? Or can I do what I did, create to columns using "eval" and then compare them? I am basically trying to run a correlation the way Microsoft Excel would, where you take two columns with numbers and run the correlation. Even though my data is different, I get values like 1.0 which can't be right because the data is not 100% the same. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 01:11 PM

That was a lot of help thank you so much

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...