You can use the
cluster command to learn more about your data and to find common and/or rare events in your data. For example, if you are investigating an IT problem and you don't know specifically what to look for, use the cluster command to find anomalies. In this case, anomalous events are those that aren't grouped into big clusters or clusters that contain few events. Or, if you are searching for errors, use the cluster command to see approximately how many different types of errors there are and what types of errors are common in your data.
Cluster similar events together.
- Syntax: t=<num> | delims=<string> | showcount=<bool> | countfield=<field> | labelfield=<field> | field=<field> | labelonly=<bool> | match=(termlist | termset | ngramset)
- Description: Options for configuring simple log clusters (slc).
- Syntax: t=<num>
- Description: Sets the cluster threshold, which controls the sensitivity of the clustering. This value needs to be a number greater than 0.0 and less than 1.0. The closer the threshold is to 1, the more similar events have to be for them to be considered in the same cluster. Default is 0.8.
- Syntax: delims=<string>
- Description: Configures the set of delimiters used to tokenize the raw string. By default, everything except 0-9, A-Z, a-z, and '_' are delimiters.
- Syntax: showcount=<bool>
- Description: Shows the size of each cluster. Default is true, unless
labelonlyis set to true. When
showcount=false, each indexer clusters its own events before clustering on the search head.
- Syntax: countfield=<field>
- Description: Name of the field to write the cluster size to. The cluster size is the count of events in the cluster. Defaults to
- Syntax: labelfield=<field>
- Description: Name of the field to write the cluster number to. Splunk counts each cluster and labels each with a number as it groups events into clusters. Defaults to
- Syntax: field=<field>
- Description: Name of the field to analyze in each event. Defaults to
- Description: labelonly=<bool>
- Syntax: Specifies whether reduce each cluster to a single representative cluster. If true, keeps all original events and labels them with a cluster number (the value of
labelfield). If false, reduces each cluster to a single event. to keep all original events instead of reducing each cluster to a single event. Defaults to
- Syntax: match=(termlist | termset | ngramset)
- Description: Specify the method used to determine the similarity between events.
termlistbreaks down the field into words and requires the exact same ordering of terms.
termsetallows for an unordered set of terms.
ngramsetcompares sets of trigram (3-character substrings).
ngramsetis significantly slower on large field values and is most useful for short non-textual fields, like
punct. Defaults to
cluster command groups events together based on how similar they are to each other. Unless you specify a different field,
cluster uses the
_raw field to break down the events into terms (
match=termlist) and compute the vector between events. Set a higher threshold value for
t, if you want the command to be more discriminating about which events are grouped together.
The result of the cluster command appends two new fields to each event. You can specify what to name these fields with the
labelfield parameters, which default to
cluster_count value is the number of events that are part of the cluster, or the cluster size. Each event in the cluster is assigned the
cluster_label value of the cluster it belongs to. For example, if the search returns 10 clusters, then the clusters are labeled from 1 to 10.
Quickly return a glimpse of anything that is going wrong in your Splunk instance.
index=_internal source=*splunkd.log* log_level!=info | cluster | table cluster_count _raw | sort -cluster_count
This search takes advantage of what Splunk logs about itself in the _internal index. It returns all logs where the log_level is DEBUG, WARN, ERROR, FATAL and clusters them together and sorts it by the count of events in each cluster.
Search for events that don't cluster into large groups.
... | cluster showcount=t | sort cluster_count
This returns clusters of events and uses the sort command to display them in ascending order based on the cluster size, which are the values of
cluster_count. Because they don't cluster into large groups, you can consider these rare or uncommon events.
Cluster similar error events together and search for the most frequent type of error.
error | cluster t=0.9 showcount=t | sort - cluster_count | head 20
This searches your index for events that include the term "error" and clusters them together if they are similar. The sort command is used to display the events in descending order based on the cluster size,
cluster_count, so that largest clusters are shown first. The head command is then used to show the twenty largest clusters. Now that you've found the most common types of errors in your data, you can dig deeper to find the root causes of these errors.
cluster command to see an overview of your data. If you have a large volume of data, run the following search over a small time range, such as 15 minutes or 1 hour, or restrict it to a source type or index.
... | cluster labelonly=t showcount=t | sort - cluster_count, cluster_label, _time | dedup 5 cluster_label
This search helps you to learn more about your data by grouping events together based on their similarity and showing you a few of events from each cluster. It uses
labelonly=t to keep each event in the cluster and append them with a
cluster_label. The sort command is used to show the results in descending order by its size (
cluster_count), then its
cluster_label, then the indexed timestamp of the event (
_time). The dedup command is then used to show the first five events in each cluster, using the
cluster_label to differentiate between each cluster.
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the cluster command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2