Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- What does cofilter actually do?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran across the cofilter command and wanted to review some output results from it to see if it might be useful. It doesn't produce any results on my test data, so maybe I don't understand its purpose.
The docs are at https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Cofilter
Here's some run-anywhere test data that creates test records with an animal and a color.
| makeresults
| eval mydata="dog,green cat,green cat,orange duck,yellow donkey,green dog,green dog,green dog,blue dog,yellow dog,grey wolf,black parakeet,yellow cat,yellow cat,green dog,green donkey,green"
| makemv mydata
| mvexpand mydata
| makemv delim="," mydata
| eval animal=mvindex(mydata,0), color=mvindex(mydata,1)
| table animal color
... which produces records with the values as expected, but the following cofilter command has no output...
| cofilter animal color
So, what am I missing, here?
note - the "ask a question" question interface didn't allow cofilter as a tag... if anyone has admin rights to add a tag, please replace filter with cofilter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.
basic syntax: sourcetype=billing|cofilter user purchaseStatus
table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1
i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should post a comment to the docs page that it is not clear and reference the URL for this question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It may be somewhat related to contingency:
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Contingency
Try adding this instead:
| contingency animal color
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i couldn't get it to work with your own data, but I used a small sample of some billing data to see if i could get it to work.
basic syntax: sourcetype=billing|cofilter user purchaseStatus
table:
"Item 1" "Item 1 user count" "Item 2" "Item 2 user count" "Pair count"
billed 9 disputed 1 1
i had 9 total users. so my data had 9 users that had a status "billed" and 1 with a status "disputed" and 1 time the user had both. I think the documentation isn't explaining this properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you put a table command before the cofilter and see what happens? I can't believe that I can't get any output from a simple command.
BTW, did you mean you had 9 users or 11 users- 8 users with just billed and 1 with billed and disputed, or 9 with just billed, 1 with just disputed, and 1 with both?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have 9 distinct users, they all had a billing status, one had a dispute status, and one had both (a dispute is like a return). It looked like it split it out by saying "Here are how many users had this value, here are how many had this other value, and here are how many had both values".
if I put |table user purchaseStatus before my cofilter command, it doesn't work. Bizarre. I think a ticket for enhanced documentation would help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That matches my experience. Just to be clear, are there 9 records (8 records with "billed" and 1 with both "billed" and "disputed" as values in a single mv) or are there ten records (9 with "billed" and 1 with "disputed")?
Hmmm. Try | fields user purchaseStatus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| fields user purchaseStatus works.
my data isn't MV, so there are 9 billed and 1 disputed.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
