Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I filter a table based on cluster number or su...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a table of data that is clustered via KMeans, I am trying to filter down to only display the other items in a particular cluster, but since the cluster number is done on the fly, this is proving to be difficult.
index=blah | stats count by something, device | fit PCA k=2 h_fields | fit KMeans k=10 PC_* | table cluster PC_* device h_fields
This will give the info I am looking for, but I only want to filter to view the other items in a single cluster, I know what device ahead of time, but I don't know the cluster number to look for until after the table renders. Basically want to only find other data in the same cluster.
I've been trying to do something like " | search [ search device="myDevice" | return 1 cluster=cluster] " but that does not seem to work....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this after your kmeans...
| eventstats count(eval(device="myDevice")) as theclusterIwant by CLUSTERNUMBER
| where theclusterIwant>=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@oclumbertruck, if you want to pick first or last of Cluster Number from your base search and pass the same to your subsequent search you can use map command. Following is an example:
index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by component log_level
| kmeans k=2
| search log_level="WARN"
| tail 1
| table CLUSTERNUM
| map search="search index=_internal sourcetype=splunkd log_level!=\"INFO\"
| stats count by component log_level
| kmeans k=5
| search CLUSTERNUM=$CLUSTERNUM$"
PS: It uses Splunk's _internal index and does not use fit <model> commands (as somehow it is not working on my machine). However, to provide an example I have used kmeans command directly on two fields as present in Splunk's _internal index. Please change the query as per your need.
Notice that double quotes inside map command needs to be escaped with backslash. Refer to map command Splunk documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this after your kmeans...
| eventstats count(eval(device="myDevice")) as theclusterIwant by CLUSTERNUMBER
| where theclusterIwant>=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked great for what I need. I started down this path, but didn't quite get there, thanks for the help!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
