Answers for "How to apply the fit command with a "by" field"
https://answers.splunk.com/answers/590626/how-to-apply-the-fit-command-with-a-by-field.html
The latest answers for the question "How to apply the fit command with a "by" field"Answer by cmerriman
https://answers.splunk.com/answering/590898/view.html
the map command might be your only option, as there isn't a `by` command for clustering.
|makeresults |eval data="C=red C=blue"|makemv data|mvexpand data|rename data as _raw|kv|table C
|map maxsearches=6 search="|makeresults |eval data=\"A=10,B=2,C=red A=4,B=6,C=red A=9,B=1,C=red A=110,B=102,C=blue A=104,B=106,C=blue A=109,B=101,C=blue\"|makemv data|mvexpand data|rename data as _raw|kv|search C=$C$|table A B C|fit KMeans k=2 A B"Tue, 14 Nov 2017 13:27:40 GMTcmerriman