The findkeywords
command is an internal, unsupported, experimental command. See
About internal commands.
Given some integer labeling of events into groups, finds searches to generate these groups.
findkeywords labelfield=<field>
Required arguments
- labelfield
- Syntax: labelfield=<field>
- Description: A field name.
Use the findkeywords
command after the cluster
command, or a similar command that groups events. The findkeyword
command takes a set of results with a field (labelfield) that supplies a partition of the results into a set of groups. The command derives a search to generate each of these groups. This search can be saved as an event type.
Return logs for specific log_level values and group the results
Return all logs where the log_level is DEBUG, WARN, ERROR, FATAL and group the results by cluster count.
index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | findkeywords labelfield=cluster_count
The result is a statistics table:
The values of groupID
are the values of cluster_count
returned from the cluster
See also
dump | makejson |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2411, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2112, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406, 9.3.2408 (latest FedRAMP release)
Feedback submitted, thanks!