Use this command to view the log data within a cluster for specific classify results in the tabular format.


clustersplit collection=<collection_name> [<summary_expression>]


The following table lists the parameters you can use with this command, along with their descriptions.

Parameter Description


Use this parameter to specify the collection where the log data exists. The value for this variable should either be in the format<string> or <string>.


Use this parameter to compare the ID to an expression. The value for this parameter should either be in the format id <cmp> or id <in_exp>.


Use this parameter as a comparison operator. The possible values for this variable include = and !=.


This parameter should be in the format [NOT] IN “(“ <value> (“,”<value>)*”)”.

The resulting table on running the query has the following columns:
  • Collection: The name of the collection where data is persisted

  • Id: Cluster Id that is unique within the collection

  • Log Source: The source of the cluster

  • Count: The number of log records with this signature

  • Sample Id: Unique identifier for the sample message

  • Sample Message: A sample log record from the signature

  • Shape: A computed number assigned to each unique trend to group similar trends together

  • Trend: Trend of log entries that match the pattern over time

  • Score: A computed value assigned to each cluster used in the default sorting

  • Facet Message Id: Unique row identifier when splitting a cluster by facet variables

  • Variables: Detailed information of all facet variables for each sample message

  • Document ID: The document identifier associated with the sample message

The following query returns the fatal logs included in ID 1, in the collection ‘Fatal logs’.

Severity = fatal | clustersplit collection = 'Fatal logs' id = 1