Splunk Cloud Platform

Search Reference

typelearner

The typelearner command is deprecated as of Splunk Enterprise version 5.0. This means that although the command continues to function, it might be removed in a future version.

Use the findtypes command instead.

Description

Generates suggested event types by taking previous search results and producing a list of potential searches that can be used as event types. By default, the typelearner command initially groups events by the value of the grouping-field. The search then unifies and merges these groups based on the keywords they contain.

Syntax

typelearner [<grouping-field>] [<grouping-maxlen>]

Optional arguments

grouping-field
Syntax: <field>
Description: The field with values for the typelearner comman to use when initially grouping events.
Default: punct, the punctuation seen in _raw
grouping-maxlen
Syntax: maxlen=<int>
Description: Determines how many characters in the grouping-field value to look at. If set to negative, the entire value of the grouping-field value is used to group events.
Default: 15

Examples

Example 1:

Have the search automatically discover and apply event types to search results.

... | typelearner

See also

typer

Last modified on 22 July, 2020
typeahead   typer

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters