typelearner command is deprecated as of Splunk Enterprise version 5.0. This means that although the command continues to function, it might be removed in a future version.
findtypes command instead.
Generates suggested event types by taking previous search results and producing a list of potential searches that can be used as event types. By default, the
typelearner command initially groups events by the value of the grouping-field. The search then unifies and merges these groups based on the keywords they contain.
typelearner [<grouping-field>] [<grouping-maxlen>]
- Syntax: <field>
- Description: The field with values for the
typelearnercomman to use when initially grouping events.
punct, the punctuation seen in
- Syntax: maxlen=<int>
- Description: Determines how many characters in the grouping-field value to look at. If set to negative, the entire value of the grouping-field value is used to group events.
- Default: 15
Have the search automatically discover and apply event types to search results.
... | typelearner
This documentation applies to the following versions of Splunk Cloud Platform™: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105, 8.2.2106, 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111