Analyzefields command analyses all the input fields (contains numeric values) and create the output results in rows in which each row have independent numeric field values. The row value shows the efficiency of analyzefields command in predicting the value of a classfield.

Syntax :

analyzefields classfield=<field>

af classfield=<field>- af is a abbrevation for analyzefelds command.

Classfield: {analyze multiple class}

Analyzefields command generate five columns in output results.

field :  field name which contains only numeric values (from the input search results).

count : The number of times the field occurs in the search result.

cocur : This is the ratio of results having classfield to the results having fields. If every event has classfield and field, then the cocur is 1.

acc : checks the Accuracy (the accurate value) in predicting the value of the classfield.

balacc : This is the real time average of the accuracies which is  predicted with each classfield value and can only be applicable to numerical fields.

Example :

index=main sourcetype=price | analyzefields classfield=sale_price



In above search, we extract the data from main index and sourcetype “csv” given in the main search. We are analyzing the data named City. In the sub search, the search uses analyzefield command to analyze the field containing numerical values to predict the values in classfield(City) to analyze the performance of the data. Classfield values should always have distinct values.

Analyzefield command adds five different columns to the output, the first column “field” which contains numeric fields taken from input results as a values of “field”. ‘linecount’ and ‘price’ in the column “field” is the only numeric fields which is present in the event. The second column “count” field value occurs 1000 times (C_P,Profit,Quantity,Rating,S_P,Tax 5,Total,cogs,date_hour,date_mday), the third column “cocur” field shows a ratio of results having classfield(City) to the results having fields (C_P,Profit,Quantity,Rating,S_P,Tax 5,Total,cogs,date_hour,date_mday). If every event has classfield and field, then the cocur is 1.. The fourth column “acc” field shows the accuracy of the Analyzefield command in predicting the value of a classfield by comparing the values in the classfield (City) and existing fields (C_P,Profit,Quantity,Rating,S_P,Tax 5,Total,cogs,date_hour,date_mday) , here the Profit field has 0.33 acc value then 0.33 *100=33 so we get 33% of accuracy in predicting the value of a classfield in the fifth column “balacc” field results show real time average (non weighted) of accuracies of the classfield.

If you are still facing an issue, feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks.

| Happy Splunking 😉