You expect all Web access events to share the same fields: clientip, referer, method, and so on. Look at the co-occurrence between all fields in the _internal index.īecause there are different types of logs in the _internal, you can expect to see that many of the fields do not co-occur.Ĭalculate the co-occurrences between all fields in Web access events. Some fields may have been ignored."Īs with all designed-in limits, adjusting this might have significant memory or cpu costs. If this occurs, the notification from the search or alert contains a message "correlate: input fields limit (N) reached. If more than this many fields are encountered, the correlate command continues to process data for the first N (eg thousand) field names encountered, but ignores data for additional fields. There is a limit on the number of fields that correlate considers in a search.įrom nf, stanza, the maxfields sets this ceiling. ![]() If you want to analyze the relationship between the values of fields, refer to the contingency command, which counts the co-ocurrence of pairs of field values in events. Note: This command looks at the relationship among all the fields in a set of search results. The field the result is specific to is named in the value of the RowField field, while the fields it is compared against are the names of the other fields. The cell value represents the percentage of times that the two fields exist in the same events. The results are presented in a matrix format, where the cross tabulation of two fields is a cell value. ![]() You can use the correlate command to see an overview of the co-occurrence between fields in your data. Calculates the correlation between different fields.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |