All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

counting number of events based on city with geoip

nina15
Communicator
‎12-29-2011 08:53 PM

hi...
I want to use advanced charting reports and I actually need to have a pie chart of cities of the country the query was originated from.
up to this point, I can list down queries from that country and cities I want but Im having dificulties to count them. this:

sourcetype="*" | geoip | search geoip_country_name="Finland"

lists me all events from Finland, for all Finland's cities. I tried:

sourcetype="*" | geoip | search geoip_country_name="Malaysia" | timechart count by geoip_city

which shows me a piechart that counts values of all timestamps!

how can I simply count the geoip_city???

0 Karma
Reply

nina15
Communicator
‎01-11-2012 07:58 PM

I found the answer myself... 🙂
finally to get exactly what I want, it actually has to be like this:

SourceIP=* | geoip SourceIP | search SourceIP_country_name="United States" | stats count(SourceIP_city) as "City Count" by SourceIP_city | rename SourceIP_city as City
0 Karma
Reply

nina15
Communicator
‎01-04-2012 05:30 PM

thats great... thanks...
and when I want to specify a country??
i've tried these ways, doesnt work and i get errors:

SourceIP=* | geoip SourceIP SourceIP_country_name="United States" | stats count(clientip_city) as "City Count" by clientip_city | rename clientip_city as City

SourceIP=* | geoip SourceIP | SourceIP_country_name="United States" | stats count(clientip_city) as "City Count" by clientip_city | rename clientip_city as City

SourceIP=* | geoip SourceIP_country_name="United States" | stats count(clientip_city) as "City Count" by clientip_city | rename clientip_city as City

SourceIP=* | geoip SourceIP AND SourceIP_country_name="United States" | stats count(SourceIP_city) as "City Count" by SourceIP_city | rename SourceIP_city as City

SourceIP=* | geoip SourceIP | stats count(SourceIP_city) as "City Count" by SourceIP_city  AND SourceIP_country_name="United States" | rename SourceIP_city as City

what is the correct way of querying it?

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎01-03-2012 03:48 AM

SourceIP=* | geoip SourceIP | stats count(clientip_city) as "City Count" by clientip_city | rename clientip_city as City

Reply

nina15
Communicator
‎01-02-2012 06:28 PM

ok... Im getting confused and I need a bit of help here...
the clientip here is a predefined search operator/field? or a field name that should be defined by user?
none of the above actually gives me any results...
maybe I should explain that for all events I am implementing field extraction using field separator "tab" and the field that events originate from is called SourceIP

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎12-30-2011 05:41 AM

Is this what you want?

clientip=* | geoip clientip | stats count(clientip_city) as "City Count" by clientip_city | rename clientip_city as City

Or

clientip=* | geoip clientip | timechart span=1d count(clientip_city) as "City Count" by clientip_city | rename clientip_city as City

OR

clientip=* | geoip clientip | chart count(clientip_city) as "City Count" by clientip_city | rename clientip_city as City

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...