I have a table of data that is clustered via KMeans, I am trying to filter down to only display the other items in a particular cluster, but since the cluster number is done on the fly, this is proving to be difficult.
index=blah | stats count by something, device | fit PCA k=2 h_fields | fit KMeans k=10 PC_\* | table cluster PC_\* device h_fields
This will give the info I am looking for, but I only want to filter to view the other items in a single cluster, I know what device ahead of time, but I don't know the cluster number to look for until after the table renders. Basically want to only find other data in the same cluster.
I've been trying to do something like " | search [ search device="myDevice" | return 1 cluster=cluster] " but that does not seem to work....
↧