Documentation > Splunk > Search Reference > kmeans

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

kmeans

Contents

kmeans

Synopsis

Performs k-means clustering on selected fields.

Syntax

kmeans [kmeans-options]* <field-list>

Required arguments

field-list
Syntax: <field>, ...
Description: Specify the exact fields to use for the join. If none are specified, uses all fields that are common to both result sets.

Optional arguments

kmeans-options
Syntax: <reps>|<iters>|<tol>|<k>|<cnumfield>|<distype>
Description: Options for the kmeans command.

kmeans options

reps
Syntax: reps=<int>
Description: Specify the number of times to repeat kmeans using random starting clusters. Defaults to 10.
iters
Syntax: maxiters=<int>
Description: Specify the maximum number of iterations allowed before failing to converge. Defaults to 10000.
tol
Syntax: tol=<num>
Description: Specify the algorithm convergence tolerance. Defaults to 0.
k
Syntax: k=<int>|<int>-<int>
Description: Specify the number of initial clusters to use. This value can be expressed as a range; in this case, each value in the range will be used once and the summary data given. Defaults to 2.
cnumfield
Syntax: cfield=<field>
Description: Names the field for the cluster number for each event. Defaults to CLUSTERNUM.
distype
Syntax: dt=l1|l1norm|cityblock|cb|l2|l2norm|sq|sqeuclidean|cos|cosine
Description: Specify the distance metric to use. L1/L1NORM is equivalent to CITYBLOCK. L2NORM is equivalent to SQEULIDEAN. Defaults to L2NORM.

Description

Performs k-means clustering on select fields (or all numerical fields if empty). Events in the same cluster will be moved next to each other. Optionally the cluster number for each event is displayed.

Examples

Example 1: Group search results into 4 clusters based on the values of the "date_hour" and "date_minute" fields.

... | kmeans k=4 date_hour date_minute

Example 2: Group results into 2 clusters based on the values of all numerical fields.

... | kmeans

See also

anomalies, anomalousvalue, cluster, outlier,

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the kmeans command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Kmeans"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!