The associate command identifies events that are associated with each other through field/field value pairs. For example, if one event has a referer_domain of "http://www.google.com/" and another event has a referer_domain with the same URL value, then they are associated.

"Tune" the results gained by the associate command with the supcnt, supfreq, and improv arguments. For more information about these arguments see the associate command reference topic.

Example: Search the web access sourcetypes and identify events that share at least three field/field-value pair associations.

sourcetype=access* | associate supcnt=3

The correlate command calculates the statistical correlation between fields. It uses the cocur operation to calculate the percentage of times that two fields exist in the same set of results.

Example:' Search across all events where eventtype=goodaccess, and calculates the co-occurrence correlation between all of those fields.

eventtype=goodaccess | correlate type=cocur

Use the diff command to compare the differences between two search results. By default it compares the raw text of the search results you select, unless you use the attribute argument to focus on specific field attributes.

Example: Compare the IP addresses for the 44th and 45th events returned in the search.

eventtype=goodaccess | diff pos1=44 pos2=45 attribute=ip