typelearner
typelearner
Synopsis
Generates suggested eventtypes.
Syntax
typelearner [grouping-field] [grouping-maxlen]
Optional arguments
- grouping-field
- Syntax: <field>
- Description: The field with values for
typelearnerto use when initially grouping events. Defaults topunct, the punctuation seen in_raw.
- grouping-maxlen
- Syntax: maxlen=<int>
- Description: Determines how many characters in the grouping-field value to look at. If set to negative, the entire value of the grouping-field value is used to group events. Defaults to 15.
Description
Takes previous search results, and produces a list of promising searches that may be used as event-types. By default, the typelearner command initially groups events by the value of the grouping-field, and then further unifies and merges those groups, based on the keywords they contain.
Examples
Example 1: Have Splunk automatically discover and apply event types to search results
... | typelearnerSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the typelearner command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.