Dashboards & Visualizations

TSTATS, Datamodel, and GEOSTATS issues

frog22
Explorer

I'm trying to eventually utilize the builtin GEOSTATS map to populate a simple map showing the number of IP addresses that hit my firewall from a specific country over a period of time.  Problem is, I cannot get anything to work related to GEOSTATS.  Hopefully, I can lay this out in a simple manor.....

Datamodel = test

   Extracted Fields: Client_IP (field within the log that the Originating IP address is extracted)

                                      test_IP (field alias points to this field, set as IPv4, is the "IP" field utilized within the GEO IP settings)

 

What works:

 1. Datamodel "test": Acceleration is on, status 100% complete,  and tstats commands can be used against this datamodel that produce the expected results

2. If I go into datamodel "test", under the GEO IP settings, select "Preview"....It populates with Lat, Long, & Country information

3. | datamodel test search | table Client_IP, test_IP, test_lat, test_lon, test_Country.      

- this query produces lat, long, and country results.

3. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP test.test_Country

- this query produces exactly what I would expect to see....The "test_IP" field with IP addresses, "Unique_IP" field with the count of records per IP address, and "test_Country" showing the country the IP address originates from

 

The Problem: once I add a pipe "|" things stop working.  Example:

1. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | table test.test_IP test.test_Country Unique_IP

- only shows the "Unique_IP" field and the results of that field and the IP address in the "test.test_IP" field

2. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | geostats latfield=test.lat longfield=lon globallimit=0

- this produces no "Statistics" and no "Visualization"

 

I greatly appreciate your time and thank you for your help with this!!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The tstats command, like stats, only includes in its results the fields that are used in that command.  Therefore, 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP 

Only sends the Unique_IP and test.test_IP fields downstream to next command.  That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The tstats command, like stats, only includes in its results the fields that are used in that command.  Therefore, 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP 

Only sends the Unique_IP and test.test_IP fields downstream to next command.  That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.
0 Karma

frog22
Explorer

Rich,

I'm a little aggravated, but grateful that it was something so easy.  A side questions.....Why would someone add a WHERE command and dollar signs before adding a pipe and geostats?

Thanks, again, for the help!!

 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ | geostats latfield=test.lat longfield=lon globallimit=0 

 

0 Karma

frog22
Explorer

Apologies, this is more accurate.

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ test.lat test.lon | geostats latfield=test.lat longfield=lon globallimit=0 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where option applies conditions to tstats.  In this case, count only the events with values matching $IP_INDEX$ and $IN_SRC$.

The $ characters denote a token.  Tokens come from the inputs of the dashboard that houses the search.

---
If this reply helps you, Karma would be appreciated.

frog22
Explorer

Greatly appreciate the help with this!!  Happy holidays to you and yours!!

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...