Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the "correlate" function doing behind the scenes

spogtrop
Explorer
‎07-06-2022 07:42 AM

I am trying to use the correlate command in Splunk but keep receiving "1.0" or other numbers as the correlation value when it should not. For example, I have two columns in my table, each with values "increase" or "decrease" based on how much data it is ingesting hour to hour. When I use correlate after that, however, I get 1.0 as the correlation value when it is not 100%. So what exactly is the command correlating, is it not the table? Is it something with the indexes behind the scenes? Also, how do you use parentheses after the correlate command to input fields? All help is appreciated, I have been working on this for a while.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 08:47 AM

The correlate command looks at the fields in your data and generates a matrix showing the percentage of times each pair of fields appears.

You don't use parentheses or any other arguments with the correlate command.  If you need to specify fields, use the contingency command.

See https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Correlate and https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Contingency for more information.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 12:38 PM

Thank you, so then can I only use the correlate command with built in fields? Or can I do what I did, create to columns using "eval" and then compare them? I am basically trying to run a correlation the way Microsoft Excel would, where you take two columns with numbers and run the correlation. Even though my data is different, I get values like 1.0 which can't be right because the data is not 100% the same. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-06-2022 12:55 PM

The correlate command uses all fields in your data that have names not beginning with an underscore.

The correlate command is very different from Excel's CORREL function.  The latter compares values whereas the former checks for the *presence* of values (ignoring the actual value).

As far as I can tell, there is no command or function similar to CORREL in Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spogtrop
Explorer
‎07-06-2022 01:11 PM

That was a lot of help thank you so much

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...