Partitions the events into k clusters, with each cluster defined by its mean value. Each event belongs to the cluster with the nearest mean value. Performs k-means clustering on the list of fields that you specify. If no fields are specified, performs the clustering on all numeric fields. Events in the same cluster are moved next to each other. You have the option to display the cluster number for each event.
kmeans [kmeans-options...] [field-list]
- Syntax: <field> ...
- Description: Specify a space separated list of the exact fields to use for the join.
- Default: If no fields are specified, uses all numerical fields that are common to both result sets. Skips events with non-numerical fields.
- Syntax: <reps> | <iters> | <t> | <k> | <cnumfield> | <distype> | <showcentroid>
- Description: Options for the
- Syntax: reps=<int>
- Description: Specify the number of times to repeat kmeans using random starting clusters.
- Default: 10
- Syntax: maxiters=<int>
- Description: Specify the maximum number of iterations allowed before failing to converge.
- Default: 10000
- Syntax: t=<num>
- Description: Specify the algorithm convergence tolerance.
- Default: 0
- Syntax: k=<int> | <int>-<int>
- Description: Specify as a scalar integer value or a range of integers. When provided as single number, selects the number of clusters to use. This produces events annotated by the cluster label. When expressed as a range, clustering is done for each of the cluster counts in the range and a summary of the results is produced. These results express the size of the clusters, and a 'distortion' field which represents how well the data fits those selected clusters. Values must be greater than 1 and less than maxkvalue (see Limits section).
- Default: k=2
- Syntax: cfield=<field>
- Description: Names the field to annotate the results with the cluster number for each event.
- Default: CLUSTERNUM
- Syntax: dt= ( l1 | l1norm | cityblock | cb ) | ( l2 | l2norm | sq | sqeuclidean ) | ( cos | cosine )
- Description: Specify the distance metric to use. The
cbdistance metrics are synonyms for
sqdistance metrics are synonyms for
cosdistance metric is a synonym for
- Default: sqeucildean
- Syntax: showcentroid= true | false
- Description: Specify whether to expose the centroid centers in the search results (showcentroid=true) or not.
- Default: true
The number of clusters to collect the values into -- k -- is not permitted to exceed maxkvalue. The maxkvalue is specified in the
limits.conf file, in the [kmeans] stanza. The maxkvalue default is 1000.
When a range is given for the
k option, the total distance between the beginning and ending cluster counts is not permitted to exceed maxkrange. The maxkrange is specified in the
limits.conf file, in the [kmeans] stanza. The maxkrange default is 100.
The above limits are designed to avoid the computation work becoming unreasonably expensive.
The total number of values which are clustered by the algorithm (typically the number of input results) is limited by the
maxdatapoints parameter in the
[kmeans] stanza of
limits.conf. If this limit is exceeded at runtime, a warning message displays in Splunk Web. This defaults to 100000000 or 100 million. This
maxdatapoints limit is designed to avoid exhausting memory.
Example 1: Group search results into 4 clusters based on the values of the "date_hour" and "date_minute" fields.
... | kmeans k=4 date_hour date_minute
Example 2: Group results into 2 clusters based on the values of all numerical fields.
... | kmeans
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105