Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

associate

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10

associate

Synopsis

Identifies correlations between fields.

Syntax

associate [associate-option]* [field-list]

Arguments

Description

Searches for relationships between pairs of fields. More specifically, this command tries to identify cases where the entropy of field1 decreases significantly based on the condition of field2=value2. field1 is known as the target key and field2 the reference key and value2 the reference value. If a list of fields is provided, analysis will be restricted to only those fields. By default all fields are used.

Examples

Example 1: Return results associated with each other (that have at least 3 references to each other).

... | associate supcnt=3Search

Example 2: Analyze all events from host "reports" and return results associated with each other.

host="reports" | associate supcnt=50 supfreq=0.2 improv=0.5Search

Example 3: Analyze all fields to find a relationship.

... | associateSearch


See also

correlate, contingency

Retrieved from "http://www.splunk.com/base/Documentation/4.0.10/SearchReference/Associate"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.