You can combine the link and cluster capabilities to classify clusters for a specific field. You can identify the entities or entity types that have the most potential issues and see any patterns or anomalies across those entities.

Using clusters, you can analyze a large set of log records and identify potential issues. With the Link by Cluster capability, you can group the log records by clusters and identify potential issues based on your selection of the field for analysis. For example, if you want to group your clusters based on entity, entity type, or log source, then you can use link by cluster.

In the following example, the log records of Host (Linux) entity type are analyzed with link and cluster capabilities by including * | link 'Entity Type', cluster() in the query. The complete query used for analysis is:

* | link 'Entity Type', cluster() | where 'Potential Issue' != null | fields -'Potential Issue' | where Count = 45 and 'Entity Type' = literal("Host(Linux)"))

First, the cluster command is run on the search string, in this case *, which produces a field called Cluster Sample. This field is linked with entity type to group all the clusters by entity type. The where clause specifies to look only for Potential Issues. So now, we have all the potential issues grouped by entity type. As you can see in the bubble chart, there are about 45 potential issues of the Host (Linux) entity type.

The groups table displays the details of the cluster sample corresponding to the anomaly group. Note the log content of the cluster sample available in the table which is possibly the cause for the potential issue: detected unhandled Python exception.

Follow the link Analyze Potential Issues by Entity Type for the sample command to use in your environment. Click More for more sample commands that you can use:

• Potential Issues by Entity
• Potential Issue Outliers by Entity
• Potential Issue Outliers by Entity Type
• Potential Issues by Entity, Severity

In the Potential Issue Outliers sample, the query is similar to the example discussed but has another where clause added (where 'Potential Issue' != null and count = 1) to identify all the errors that have occurred just once over the time period. However, note that the cluster samples still show the variables but the variables shown in link cannot be drilled down into.

For more information about the link visualization and for the steps to access link from the Visualize panel, see Link Visualization.