topic How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude? in Dashboards & Visualizations

How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

richnsanders_70 — Tue, 29 Sep 2020 11:16:48 GMT

I have multiple columns:

source address: saddr
dest address: daddr
times seen: times_seen
destination port: dport
latitude: slat
longitude: slong

My report data is presented as:

saddr  daddr  dport  times_seen slat slong

saddr  daddr  0      12         lat  long  
saddr  daddr  1      22         lat  long  
saddr  daddr  0      15         lat  long  
saddr  daddr  1      7          lat  long

I'd like to see on my geostats map each dport and how many times it was seen by lat and long on the bubble. I'm getting everything working except for the addition of the "times_seen" block. Anytime I try to evaluate or add the "times_seen" I either get no results or an error.

I'm using:

index="the_index" | geostats latitude=slat longitude=slong count by dport

Re: How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

dmaislin_splunk — Tue, 04 Oct 2016 18:31:40 GMT

index="the_index" | geostats count(dport) latitude=slat longitude=slong by dport

Re: How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

richnsanders_70 — Tue, 04 Oct 2016 18:44:03 GMT

I appreciate the answer, but this combines all my ports into one value, I'd like to see the bubble show me how many of EACH port at each lat/long. What I'm already using shows me in the bubble the ports it sees, but if it sees port 0 three times, once with 17 hits, once with 10 hits and once with 5 hits, it does not appear to combine the values and show port 0 with 32 hits. Thanks again!

Re: How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

dmaislin_splunk — Tue, 04 Oct 2016 18:46:45 GMT

index="the_index" | geostats count(dport) latitude=slat longitude=slong by dport

Re: How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

richnsanders_70 — Tue, 04 Oct 2016 18:59:25 GMT

That seems to have done it, I was going way overboard in trying to solve this when it was such as simple answer.

Thank you very much!

Re: How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

dmaislin_splunk — Tue, 04 Oct 2016 19:01:24 GMT

Any time! Feel free to upvote 🙂

Re: How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

richnsanders_70 — Tue, 04 Oct 2016 19:06:55 GMT

I did, i think!

Re: How to modify my geostats search to map each destination port field and how many times it was seen by latitude and longitude?

dmaislin_splunk — Tue, 04 Oct 2016 19:07:52 GMT

thank you!