Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the "correlate" function doing behind the scenes

spogtrop
Explorer
‎07-06-2022 07:42 AM

I am trying to use the correlate command in Splunk but keep receiving "1.0" or other numbers as the correlation value when it should not. For example, I have two columns in my table, each with values "increase" or "decrease" based on how much data it is ingesting hour to hour. When I use correlate after that, however, I get 1.0 as the correlation value when it is not 100%. So what exactly is the command correlating, is it not the table? Is it something with the indexes behind the scenes? Also, how do you use parentheses after the correlate command to input fields? All help is appreciated, I have been working on this for a while.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 08:47 AM

The correlate command looks at the fields in your data and generates a matrix showing the percentage of times each pair of fields appears.

You don't use parentheses or any other arguments with the correlate command.  If you need to specify fields, use the contingency command.

See https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Correlate and https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Contingency for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 12:38 PM

Thank you, so then can I only use the correlate command with built in fields? Or can I do what I did, create to columns using "eval" and then compare them? I am basically trying to run a correlation the way Microsoft Excel would, where you take two columns with numbers and run the correlation. Even though my data is different, I get values like 1.0 which can't be right because the data is not 100% the same. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 01:11 PM

That was a lot of help thank you so much

0 Karma
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...