findkeywords command is an internal, unsupported, experimental command. See
About internal commands.
Given some integer labeling of events into groups, finds searches to generate these groups.
- Syntax: labelfield=<field>
- Description: A field name.
findkeywords command after the
cluster command, or a similar command that groups events. The
findkeyword command takes a set of results with a field (labelfield) that supplies a partition of the results into a set of groups. The command derives a search to generate each of these groups. This search can be saved as an event type.
Return logs for specific log_level values and group the results
Return all logs where the log_level is DEBUG, WARN, ERROR, FATAL and group the results by cluster count.
index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | findkeywords labelfield=cluster_count
The result is a statistics table:
The values of
groupID are the values of
cluster_count returned from the
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release), 9.0.2303
Feedback submitted, thanks!