Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the "correlate" function doing behind the scenes

spogtrop
Explorer
‎07-06-2022 07:42 AM

I am trying to use the correlate command in Splunk but keep receiving "1.0" or other numbers as the correlation value when it should not. For example, I have two columns in my table, each with values "increase" or "decrease" based on how much data it is ingesting hour to hour. When I use correlate after that, however, I get 1.0 as the correlation value when it is not 100%. So what exactly is the command correlating, is it not the table? Is it something with the indexes behind the scenes? Also, how do you use parentheses after the correlate command to input fields? All help is appreciated, I have been working on this for a while.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 08:47 AM

The correlate command looks at the fields in your data and generates a matrix showing the percentage of times each pair of fields appears.

You don't use parentheses or any other arguments with the correlate command.  If you need to specify fields, use the contingency command.

See https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Correlate and https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Contingency for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 12:38 PM

Thank you, so then can I only use the correlate command with built in fields? Or can I do what I did, create to columns using "eval" and then compare them? I am basically trying to run a correlation the way Microsoft Excel would, where you take two columns with numbers and run the correlation. Even though my data is different, I get values like 1.0 which can't be right because the data is not 100% the same. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 01:11 PM

That was a lot of help thank you so much

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...