findkeywords command is an internal, unsupported, experimental command. See
About internal commands.
Given some integer labeling of events into groups, finds searches to generate these groups.
- Syntax: labelfield=<field>
- Description: A field name.
findkeywords command after the
cluster command, or a similar command that groups events. The
findkeyword command takes a set of results with a field (labelfield) that supplies a partition of the results into a set of groups. The command derives a search to generate each of these groups. This search can be saved as an event type.
Return logs for specific log_level values and group the results
Return all logs where the log_level is DEBUG, WARN, ERROR, FATAL and group the results by cluster count.
index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | findkeywords labelfield=cluster_count
The result is a statistics table:
The values of
groupID are the values of
cluster_count returned from the
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the findkeywords command.
This documentation applies to the following versions of Splunk Cloud™: 7.0.11, 7.0.13, 7.1.3, 7.1.6, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2001, 8.0.2003, 8.0.2004