https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364580#M66412 <P>You've already filtered the countries before geostats, so what's the purpose of filtering again? </P> <P>The thing is after geostats command, there is no field called Country, so you can't filter it after geostats. With geostats, each Country value will become a field in itself (your output will have fields geobin, latitude, longitude and one column for each Country). So, if you want to show data only for a specific country you'd need to use table or fields command. </P> <PRE><CODE> action=allowed | stats count by src_ip |iplocation src_ip | where Country != "United States"|geostats latfield=lat longfield=lon count by Country | table geobin, latitude, longitude, EnterCountryNameThatYouWantToShow </CODE></PRE> <P>OR</P> <PRE><CODE>action=allowed | stats count by src_ip |iplocation src_ip | where Country != "United States"|geostats latfield=lat longfield=lon count by Country | fields - EnterCountryNameThatYouDon'tWantToShow </CODE></PRE> Thu, 16 Mar 2017 15:19:01 GMT somesoni2 2017-03-16T15:19:01Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364575#M66407 <P>When I run this line I get the results mapped on the cluster map, but I want to filter out the US.</P> <PRE><CODE>action=allowed | stats count by src_ip |iplocation src_ip |geostats latfield=lat longfield=lon count by Country </CODE></PRE> <P>I've tried using the where clause below but it will not work.</P> <PRE><CODE>where Country != "United States" </CODE></PRE> <P>Any suggestions?</P> Thu, 16 Mar 2017 14:00:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364575#M66407 jsisko1873 2017-03-16T14:00:24Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364576#M66408 <P>Move the where clause to just after iplocation and before geostats command.</P> <PRE><CODE>action=allowed | stats count by src_ip |iplocation src_ip | where Country != "United States"|geostats latfield=lat longfield=lon count by Country </CODE></PRE> Thu, 16 Mar 2017 14:25:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364576#M66408 somesoni2 2017-03-16T14:25:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364577#M66409 <P>So I've tried putting it where you suggested and at the end. When I have it in the middle, I'll get events but I won't get statistics or the visualization option which I would like to have. Do you have any other ideas?</P> Thu, 16 Mar 2017 14:37:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364577#M66409 jsisko1873 2017-03-16T14:37:57Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364578#M66410 <P>So, when you just run below, you can see some results in statistics tab, but when you add the geostats you don't get anything?</P> <PRE><CODE>action=allowed | stats count by src_ip |iplocation src_ip | where Country != "United States" </CODE></PRE> Thu, 16 Mar 2017 14:42:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364578#M66410 somesoni2 2017-03-16T14:42:09Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364579#M66411 <P>Correct. When I run what you posted (and actually its action=blocked, no difference though) I will get results, but as soon as I try to add geostats I can't find a way to filter countries. And that's why I'm not sure if its a placement thing unto where it goes, of if I should be using a different command to filter my results.</P> Thu, 16 Mar 2017 15:04:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364579#M66411 jsisko1873 2017-03-16T15:04:25Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364580#M66412 <P>You've already filtered the countries before geostats, so what's the purpose of filtering again? </P> <P>The thing is after geostats command, there is no field called Country, so you can't filter it after geostats. With geostats, each Country value will become a field in itself (your output will have fields geobin, latitude, longitude and one column for each Country). So, if you want to show data only for a specific country you'd need to use table or fields command. </P> <PRE><CODE> action=allowed | stats count by src_ip |iplocation src_ip | where Country != "United States"|geostats latfield=lat longfield=lon count by Country | table geobin, latitude, longitude, EnterCountryNameThatYouWantToShow </CODE></PRE> <P>OR</P> <PRE><CODE>action=allowed | stats count by src_ip |iplocation src_ip | where Country != "United States"|geostats latfield=lat longfield=lon count by Country | fields - EnterCountryNameThatYouDon'tWantToShow </CODE></PRE> Thu, 16 Mar 2017 15:19:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364580#M66412 somesoni2 2017-03-16T15:19:01Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364581#M66413 <P>Perfect, thank you! The second block was what I wanted. Much appreciated! If I may ask one more quick question since you've been so helpful. I'm trying to rename a result in a field (There are only two results). I was trying to use the eval command to do that and haven't gotten it to work.<BR /> For the firewall there is two rules for the "rule" field: out_to_in and in_to_out</P> <P>How do I need to change the eval or should I use something else?</P> <P>eval rule=case(rule==out_to_in,"Layer 3 Core access in",rule==in_to_out,"Subnet out to Layer 3 Core")</P> Tue, 29 Sep 2020 13:17:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364581#M66413 jsisko1873 2020-09-29T13:17:41Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364582#M66414 <P>Do you get two rows one column or one row two columns, when you look at result in statistics tab?</P> Thu, 16 Mar 2017 15:49:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364582#M66414 somesoni2 2017-03-16T15:49:10Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364583#M66415 <P>Rule and count are the columns, and then I have two rows, one for each rule.</P> Thu, 16 Mar 2017 16:06:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364583#M66415 jsisko1873 2017-03-16T16:06:22Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364584#M66416 <P>Then the eval you had should work. Just need to enclose value of the rules in double quotes.</P> <PRE><CODE>...| eval rule=case(rule=="out_to_in","Layer 3 Core access in",rule=="in_to_out","Subnet out to Layer 3 Core") </CODE></PRE> Thu, 16 Mar 2017 16:08:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364584#M66416 somesoni2 2017-03-16T16:08:42Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364585#M66417 <P>@jsisko1873 - Did the answer provided by somesoni2 help provide a working solution to your original question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!</P> Fri, 17 Mar 2017 00:43:29 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-filter-out-countries-when-using-geostats/m-p/364585#M66417 aaraneta_splunk 2017-03-17T00:43:29Z