Documentation > Splunk > Search Reference > cluster

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

cluster

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

cluster

Synopsis

Clusters similar events together.

Syntax

cluster [slc-option]*

Arguments

slc-option
Syntax:
Description:

Description

Fast and simple clustering method designed to operate on raw event text (_raw field). With default options, a single representative event is retained for each cluster.

Examples

Example 1: Cluster events together, sort them by their "cluster_count" values, and then return the 20 largest clusters (in data size).

... | cluster t=0.9 showcount=true | sort - cluster_count | head 20

Example 2: Cluster syslog events together.

sourcetype=syslog | cluster


See also

anomalies, anomalousvalue, cluster, kmeans, outlier

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.4/SearchReference/Cluster"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.