findkeywords command is an internal, unsupported, experimental command. See
About internal commands.
Given some integer labeling of events into groups, finds searches to generate these groups.
- Syntax: labelfield=<field>
- Description: A field name.
findkeywords command after the
cluster command, or a similar command that groups events. The
findkeyword command takes a set of results with a field (labelfield) that supplies a partition of the results into a set of groups. The command derives a search to generate each of these groups. This search can be saved as an event type.
Return logs for specific log_level values and group the results
Return all logs where the log_level is DEBUG, WARN, ERROR, FATAL and group the results by cluster count.
index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | findkeywords labelfield=cluster_count
The result is a statistics table:
The values of
groupID are the values of
cluster_count returned from the
This documentation applies to the following versions of Splunk Cloud Platform™: 7.0.13, 8.0.2006, 8.0.2007, 8.1.2011, 8.1.2009, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107