`clustersplit`

Use this command to view the log data within a cluster for specific classify results in the tabular format.

Syntax

clustersplit collection=<collection_name> [<summary_expression>]

Parameters

The following table lists the parameters you can use with this command, along with their descriptions.

Parameter	Description
`collection_name`	Use this parameter to specify the collection where the log data exists. The value for this variable should either be in the format `‘<string>’` or `“<string>”`.
`summary_expression`	Use this parameter to compare the ID to an expression. The value for this parameter should either be in the format `id <cmp>` or `id <in_exp>`.
`cmp`	Use this parameter as a comparison operator. The possible values for this variable include `=` and `!=`.
`in_exp`	This parameter should be in the format `[NOT] IN “(“ <value> (“,”<value>)*”)”`.

The resulting table on running the query has the following columns:

Collection: The name of the collection where data is persisted
Id: Cluster Id that is unique within the collection
Log Source: The source of the cluster
Count: The number of log records with this signature
Sample Id: Unique identifier for the sample message
Sample Message: A sample log record from the signature
Shape: A computed number assigned to each unique trend to group similar trends together
Trend: Trend of log entries that match the pattern over time
Score: A computed value assigned to each cluster used in the default sorting
Facet Message Id: Unique row identifier when splitting a cluster by facet variables
Variables: Detailed information of all facet variables for each sample message
Document ID: The document identifier associated with the sample message

The following query returns the fatal logs included in ID 1, in the collection ‘Fatal logs’.

Severity = fatal | clustersplit collection = 'Fatal logs' id = 1

clustersplit