In this recipe, you used the associate command to find relationships between the status and uri fields in the web access events. The associate command works by calculating a change in entropy based upon field-pair values. It is able to provide a prediction of a field value based upon another field value.
Let's break down the search piece by piece:
|
Search fragment |
Description |
index=main sourcetype=access_combined NOT status="200" |
You should be familiar with this search from the earlier recipes in this chapter. However, we added search criteria to not return any event where the status field is equal to 200 (success). |
| associate uri status supcnt=50 |
The associate command is used to identify correlations ... |
