topic Re: multiple field in geostats in Splunk Search

multiple field in geostats

vikashperiwal — Tue, 29 Sep 2020 22:29:01 GMT

HI,

i am trying to display multiple fields like num1, num2, num 3 in map and trying to gets its lat and long from external csv using join.common field is clli_pk.. how can we display all the values(num 1 , num 2...)

| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18

Re: multiple field in geostats

richgalloway — Sat, 15 Dec 2018 18:00:40 GMT

Instead of | join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ] use | lookup CLLI_Address.csv clli_pk OUTPUT latitude longitude

Re: multiple field in geostats

vikashperiwal — Tue, 29 Sep 2020 22:29:12 GMT

here i am able to get the field value , but my query is
"| eval clli_pk=substr(hop4node,1,8)*
| stats avg(Ave) AS Ave by hop1node hop2node hop3node hop4node hop5node hop6node hop7node hop8node hop9node clli_pk
| join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ]
| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18
here for only one field that is hop4Node is displayed, how can i display all the fields ie.. hop1node,hop2node,hop3node in map.........

Re: multiple field in geostats

richgalloway — Mon, 17 Dec 2018 13:41:44 GMT

I'm not sure you can do that, but perhaps someone else will have an idea. The geostats command accepts a single field in the by clause so you can do as you did in stats. You could try combining all the fields into a single field using | eval hops="" | foreach hop*Node [eval hops=hops."|".<<FIELD>>] | geostats median(Ave) by hops..., but that will give you stats for every combination of hop nodes.