topic How to categorize count results by country in Splunk Search

How to categorize count results by country

parwindertaank — Tue, 24 Apr 2018 20:26:51 GMT

I have the following code from a web log, which gives me a table of the Time (by minute) the total for that minute, and the prediction and residual values.

I want to separate this by country, not just time.
ie, for each country and their times, what are the count values etc.

How can I update my code, which doesnt split the total and time by country?

index=* sourcetype ="access_combined" clientip=* 
  | iplocation clientip
  | bin _time span=1m 
  | stats count AS perMin by _time, Country
  | timechart span=1m sum(perMin) AS Total
  | predict Total as prediction algorithm=LLP future_timespan=5 holdback=0 
  | where prediction!="" AND Total!="" 
  | eval residual = prediction - Total

Re: How to categorize count results by country

TISKAR — Tue, 24 Apr 2018 22:29:42 GMT

Can you try this:

 index=* sourcetype ="access_combined" clientip=* 
       | iplocation clientip
       | bin _time span=1m 
       | stats count AS perMin by _time, Country
       | bin _time span=1m 
       | stats sum(perMin) AS Total by _time Country
       | predict Total as prediction algorithm=LLP future_timespan=5 holdback=0 
       | where prediction!="" AND Total!="" 
   | eval residual = prediction - Total

Re: How to categorize count results by country

parwindertaank — Wed, 25 Apr 2018 14:05:21 GMT

This works in splitting the results by Country!

Im not sure however if the prediction for the Total is accurate anymore, because the values I get for each country by minute are way off from the actual values.

How can I modify my predict command on Total use only the values for each country by minute for the prediction?