https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150780#M5638 <P>I have a field in my events that can vary ever so subtly named "Serial". I am using the cluster command to combine these similar values into groups/clusters. This part works.</P> <P>However, I cannot figure out how to list out the unqiue values of making up each cluster after combining them. This is the whole point I'm trying to achieve... I need to know which values are closely related. The results only display ONE value for each cluster in the table. There are over 6,000 unique values that cluster down into 30~ clusters after running the command, and I need the list of 6,000 chopped up by cluster. </P> <HR /> <P>Example data set that will return two clusters:</P> <UL> <LI>Serial=123456789</LI> <LI>Serial=123456788</LI> <LI>Serial=123456787</LI> <LI>Serial=987654321</LI> <LI>Serial=987654322</LI> <LI>Serial=987654323</LI> </UL> <P>The basic working query:</P> <UL> <LI>index=stuff | cluster t=0.35 field=Serial | table cluster_count, cluster_label, Serial | sort - cluster_count</LI> </UL> <P>Data returned from the query:</P> <UL> <LI>30 1 123456789</LI> <LI>23 2 987654321</LI> </UL> <HR /> <P>My questions is: How do I list out the values for each cluster instead of just one? Below is what I expected to work but it returns the same as above. One "Serial" value per count_label value. I thought it would return all of the values in each cluster_label:</P> <UL> <LI>index=stuff Serial="*" | cluster t=0.35 field=Serial | stats values(Serial) by cluster_label</LI> </UL> <P>Help!</P> Fri, 02 May 2014 19:15:49 GMT thisissplunk 2014-05-02T19:15:49Z https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150780#M5638 <P>I have a field in my events that can vary ever so subtly named "Serial". I am using the cluster command to combine these similar values into groups/clusters. This part works.</P> <P>However, I cannot figure out how to list out the unqiue values of making up each cluster after combining them. This is the whole point I'm trying to achieve... I need to know which values are closely related. The results only display ONE value for each cluster in the table. There are over 6,000 unique values that cluster down into 30~ clusters after running the command, and I need the list of 6,000 chopped up by cluster. </P> <HR /> <P>Example data set that will return two clusters:</P> <UL> <LI>Serial=123456789</LI> <LI>Serial=123456788</LI> <LI>Serial=123456787</LI> <LI>Serial=987654321</LI> <LI>Serial=987654322</LI> <LI>Serial=987654323</LI> </UL> <P>The basic working query:</P> <UL> <LI>index=stuff | cluster t=0.35 field=Serial | table cluster_count, cluster_label, Serial | sort - cluster_count</LI> </UL> <P>Data returned from the query:</P> <UL> <LI>30 1 123456789</LI> <LI>23 2 987654321</LI> </UL> <HR /> <P>My questions is: How do I list out the values for each cluster instead of just one? Below is what I expected to work but it returns the same as above. One "Serial" value per count_label value. I thought it would return all of the values in each cluster_label:</P> <UL> <LI>index=stuff Serial="*" | cluster t=0.35 field=Serial | stats values(Serial) by cluster_label</LI> </UL> <P>Help!</P> Fri, 02 May 2014 19:15:49 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150780#M5638 thisissplunk 2014-05-02T19:15:49Z https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150781#M5639 <P>If I understand you correctly, what you are looking for is the 'labelonly=true' option. This will return to you all of your events, but still grouped into your clusters.</P> <P><CODE>index=stuff Serial="*" | cluster t=0.35 field=Serial labelonly=true</CODE></P> <P>So with your example you will get this:<BR /> <CODE><BR /> 30 1 123456789<BR /> 30 1 123456788<BR /> 30 1 123456787<BR /> 23 2 987654321<BR /> 23 2 987654322<BR /> 23 2 987654323<BR /> </CODE></P> <P>You can then see only the events from a specific cluster by searching on the cluster_label.</P> <P><CODE>index=stuff Serial="*" | cluster t=0.35 field=Serial labelonly=true | search cluster_label=2</CODE></P> <P>will return this:</P> <P><CODE><BR /> 23 2 987654321<BR /> 23 2 987654322<BR /> 23 2 987654323<BR /> </CODE></P> Thu, 29 May 2014 15:57:25 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150781#M5639 emccaslin 2014-05-29T15:57:25Z https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150782#M5640 <P>This is exactly what I was looking for. The definition of labelonly did not make this obvious until I read it over a few times. Not sure why this isn't the default option.</P> <P>Thank you. Now I know what data I'm looking at.</P> Thu, 29 May 2014 16:18:52 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150782#M5640 thisissplunk 2014-05-29T16:18:52Z https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150783#M5641 <P>Glad to help!</P> Thu, 29 May 2014 19:33:53 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150783#M5641 emccaslin 2014-05-29T19:33:53Z https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150784#M5642 <P>Is there any way to view the unique contents of all the clusters in one view? The above command displays the results only for one cluster label. </P> Tue, 31 Jul 2018 07:35:58 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-cluster-command-and-showing-the-unique-contents-of-each/m-p/150784#M5642 KrithikaRamakri 2018-07-31T07:35:58Z