https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589123#M205169 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>Just want to understand why cluster count messages count is coming 42+.&nbsp;</P><P>I want to combine the similar messages that is why I have used cluster count .</P><P>Can you guide me on the same</P> Tue, 15 Mar 2022 14:59:16 GMT aditsss 2022-03-15T14:59:16Z https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589046#M205142 <P>Hi Everyone,</P> <P>I have created the below query in Splunk to fetch the Error messages</P> <LI-CODE lang="markup">index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?&lt;!LogLevel=)ERROR(?&lt;Error_Message&gt;.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count</LI-CODE> <P>I observe that for particular Error message like below:</P> <P><SPAN>[reactor-http-epoll-4,cd5411f55ef5b309d8c4bc3f558e8af2,269476b43c74118e,01] reactor.core.publisher.Operators - Operator called default onErrorDropped</SPAN></P> <P><SPAN>Count is coming as 42.Although the Event with this Error Messages are 13 only.</SPAN></P> <P><SPAN>I want to know is this the problem with cluster_count .</SPAN></P> <P><SPAN>How the cluster is working in splunk. Is my query taking cluster_count instead of actual counts.</SPAN></P> <P><SPAN>Can someone guide me on this.</SPAN></P> Wed, 16 Mar 2022 14:26:08 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589046#M205142 aditsss 2022-03-16T14:26:08Z https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589119#M205167 <P>The <FONT face="courier new,courier">cluster</FONT> command uses somewhat "fuzzy" matching so non-identical events may be counted together.&nbsp; To get a precise count, use the <FONT face="courier new,courier">eventstats</FONT> command.</P><LI-CODE lang="markup">index=abc ns=blazegateway-c2 CASE(ERROR) | rex field=_raw "(?&lt;!LogLevel=)ERROR(?&lt;Error_Message&gt;.*)" | eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | eventstats count as Count by Error_Message | table app_name, Error_Message, Count, Time, environment, pod_name, ns | dedup Error_Message | rename app_name as APP_NAME, environment as Environment, pod_name as Pod_Name</LI-CODE><P>&nbsp;</P> Tue, 15 Mar 2022 14:43:50 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589119#M205167 richgalloway 2022-03-15T14:43:50Z https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589123#M205169 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>Just want to understand why cluster count messages count is coming 42+.&nbsp;</P><P>I want to combine the similar messages that is why I have used cluster count .</P><P>Can you guide me on the same</P> Tue, 15 Mar 2022 14:59:16 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589123#M205169 aditsss 2022-03-15T14:59:16Z https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589125#M205171 <P>As I said in my first reply, the cluster command is "fuzzy".&nbsp; It groups <STRONG>similar</STRONG> events rather than <STRONG>identical</STRONG> events.&nbsp; Since we don't know the exact algorithm it uses, your count of events is likely to be different.</P><P>Use a higher value of <FONT face="courier new,courier">t</FONT> (the default is 0.8) to have the events be more similar.</P> Tue, 15 Mar 2022 15:05:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589125#M205171 richgalloway 2022-03-15T15:05:11Z https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589327#M205220 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>I have attached the screenshot I am getting count as 361 with the below query</P><P>index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?&lt;!LogLevel=)ERROR(?&lt;Error_Message&gt;.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count</P><P>&nbsp;</P><P>when I am clicking on count 361 its not showing anything.</P><P>I want to check what are the events for 361 count.</P><P>Please guide me on the same.</P> Wed, 16 Mar 2022 13:22:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589327#M205220 aditsss 2022-03-16T13:22:58Z https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589512#M205281 <P>I'm pretty sure you can't drill down on <FONT face="courier new,courier">cluster</FONT> results.</P> Thu, 17 Mar 2022 12:55:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-Cluster-Count-not-working/m-p/589512#M205281 richgalloway 2022-03-17T12:55:37Z