topic Re: Why is geostats not showing data for all expected countries when the search finishes? in Splunk Search

Why is geostats not showing data for all expected countries when the search finishes?

marina_rovira — Thu, 28 Apr 2016 12:45:13 GMT

Hello all,

I have an issue trying to visualize data on a map. I don't have an extra plugin and is not a search by IP.

Now, I'm trying to get the lat and log from a lookup and count the events per country, then, visualize it on the map.

Here is my search:

index="*alerts"    | dedup Alert    | rename Country as country    | lookup countries.csv  country | rename latitude as lat | rename longitude as lon |eventstats count(Alert) as alerts by country  | geostats  count(alerts) by country globallimit=0

With this, I want to count number of alerts per country.

While the search is processing, it is showing all the countries (really not all, but I just miss 3) like this:

But when the search ends, it show this:

Can you help me and tell what I'm doing wrong or what is causing countries as USA or Japan to not show up on the map when the search is finished?

Thank you in advance.

Re: Why is geostats not showing data for all expected countries when the search finishes?

marina_rovira — Fri, 29 Apr 2016 08:09:57 GMT

Also, why it don't sum up all the events for each country, I have X events in different geobin for each country, why is that?

Re: Why is geostats not showing data for all expected countries when the search finishes?

marina_rovira — Thu, 21 Jul 2016 07:18:15 GMT

I've resolved myself this question. Thakn you all the visitors for check it!

Re: Why is geostats not showing data for all expected countries when the search finishes?

ppablo — Tue, 26 Jul 2016 23:25:33 GMT

Hi @marina_rovira

Glad you were able to solve your question, but would you actually be able to share your final working solution here so other users can learn how you got your desired result?

Re: Why is geostats not showing data for all expected countries when the search finishes?

kskujawa — Tue, 30 Aug 2016 18:23:22 GMT

I downvoted this post because how?

Re: Why is geostats not showing data for all expected countries when the search finishes?

marina_rovira — Tue, 29 Sep 2020 10:47:40 GMT

Hey, I haven't answer yet because I wasn't sure about the solution.

Since nobody answer me I don't see the necessity to downvoted this, but anyway, I will exposure my last search which worked, but still not sure of the reason.

This is the first search, the one I wrote in the question:

 index="*alerts"    | dedup Alert    | rename Country as country    | lookup countries.csv  country | rename latitude as lat | rename longitude as lon |eventstats count(Alert) as alerts by country  | geostats  count(alerts) by country globallimit=0

And this one is the working one:

index="*_alerts" | dedup Alert | lookup customer_details.csv  Customer| lookup geo_countries longitude as Longitude, latitude as Latitude | stats count by Country | geom geo_countries  featureIdField="Country"

I guess at the begging, not knowing how the geo_countries lookup was working, I tried another lookup with country information and maybe the geostats was not able to proceed all the longitudes and latitudes and some of the countries disappear because the lack of this information, not in the table but in the process.
Then, after some time doing some test with this lookup table and the geo_attr_us_states default lookup table, I was stating to understand how this default lookup tables were working, and finally, after some test worked out with USA geo stats, I went to use the world geo stats table, and it results.

I had to rename some fields as country (to merge the index and the lookup table) and the latitude and logitude to then do the geom geo_countries. I've found out that besides selecting a field to do the count, this field has to be indicated to as featureIdField.

As you can understand, I'm not sure why the first search didn't work, I've just change to use the splunk default tables for the maps instead of using the other one found in another post (I've consult a lot of questions related to maps).

Sorry for not being able to help more, because as you see, I don't have a concrete solution for this, I've just try a workaround until something worked.

Anything, write again and I will be glad to try to answer or assist in this kind of searches.

Re: Why is geostats not showing data for all expected countries when the search finishes?

kskujawa — Thu, 01 Sep 2016 18:24:11 GMT

Thanks for following up. I did work on my similar issue yesterday and found that if I put a high limit first with the globallimit=0, it mapped all my data:

| top limit=50000 something,Latitude,Longitude
| geostats globallimit=0 latfield=Latitude longfield=Longitude count by something

Re: Why is geostats not showing data for all expected countries when the search finishes?

marina_rovira — Fri, 02 Sep 2016 07:31:48 GMT

Interesting...... Good to know this version too, It might be helpful!

Thank you. Have you indicate something about usenull or useother to be false too? Just to know more.

Re: Why is geostats not showing data for all expected countries when the search finishes?

ppablo — Mon, 12 Sep 2016 23:24:41 GMT

Hi @kskujawa

Please do not downvote someone unless they've suggested something that is not best practice and could potentially do harm in a Splunk environment. Simply comment to ask for more information in the future, and upvote questions, comments, and answers that you find helpful. To learn more about voting etiquette in this community and Splunk Answers, check out this previous Answers post on the topic:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

Re: Why is geostats not showing data for all expected countries when the search finishes?

romedome — Tue, 15 Aug 2017 21:10:31 GMT

Using top fixed it for me. Thanks!