Cluster Grouping

I want to group the cluster value based on the similar punct. I have used the following query. tag="tagname" sourcetype="sourcetype" ERROR | cluster t=0.9 showcount=true field="punct"| sort - cluster_count | head 10|table punct cluster_count

But it is not able to distinguish the different punct like below and gives the count as combination of the count of 1st and 2nd punct.

--::,[/#-]:__:.:_://...:/?=&=&=----&

--::,[/#-]:__:.:_://...:/?=.&=----&=

tag="tagname" sourcetype="sourcetype" ERROR|stats count by punct|sort - count|head 100

All suggestions are welcome!

asked 30 Nov '11, 03:28

rkanalyst
6●1
accept rate: 0%

One Answer:

oldest newest most voted

I was able to resolve this issue using the delim inside the cluster query.

tag="tagname" sourcetype="sourcetype" ERROR | cluster t=0.9 showcount=true field="punct" delims="&$%"| sort - cluster_count | head 10|table punct cluster_count

You can add more symbols inside the delims to distinguish the punct uniquely

delims="&$%"

link

answered 01 Dec '11, 22:20

rkanalyst
6●1
accept rate: 0%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

cluster ×49
punct ×5

Asked: 30 Nov '11, 03:28

Seen: 800 times

Last updated: 01 Dec '11, 22:20

Cluster Grouping

Follow this question

Splunk Resources

Related questions