clustersplit

Use this command to view the log data within a cluster for specific classify results in the tabular format.

Syntax

clustersplit collection=<collection_name> [<summary_expression>]

Parameters

The following table lists the parameters you can use with this command, along with their descriptions.

Parameter Description

collection_name

Use this parameter to specify the collection where the log data exists. The value for this variable should either be in the format<string> or <string>.

summary_expression

Use this parameter to compare the ID to an expression. The value for this parameter should either be in the format id <cmp> or id <in_exp>.

cmp

Use this parameter as a comparison operator. The possible values for this variable include = and !=.

in_exp

This parameter should be in the format [NOT] IN “(“ <value> (“,”<value>)*”)”.

The resulting table on running the query has the following columns:
  • Collection: The name of the collection where data is persisted

  • Id: Cluster Id that is unique within the collection

  • Log Source: The source of the cluster

  • Count: The number of log records with this signature

  • Sample Id: Unique identifier for the sample message

  • Sample Message: A sample log record from the signature

  • Shape: A computed number assigned to each unique trend to group similar trends together

  • Trend: Trend of log entries that match the pattern over time

  • Score: A computed value assigned to each cluster used in the default sorting

  • Facet Message Id: Unique row identifier when splitting a cluster by facet variables

  • Variables: Detailed information of all facet variables for each sample message

  • Document ID: The document identifier associated with the sample message

The following query returns the fatal logs included in ID 1, in the collection ‘Fatal logs’.

Severity = fatal | clustersplit collection = 'Fatal logs' id = 1