I'm trying to eventually utilize the builtin GEOSTATS map to populate a simple map showing the number of IP addresses that hit my firewall from a specific country over a period of time. Problem is, I cannot get anything to work related to GEOSTATS. Hopefully, I can lay this out in a simple manor.....
Datamodel = test
Extracted Fields: Client_IP (field within the log that the Originating IP address is extracted)
test_IP (field alias points to this field, set as IPv4, is the "IP" field utilized within the GEO IP settings)
What works:
1. Datamodel "test": Acceleration is on, status 100% complete, and tstats commands can be used against this datamodel that produce the expected results
2. If I go into datamodel "test", under the GEO IP settings, select "Preview"....It populates with Lat, Long, & Country information
3. | datamodel test search | table Client_IP, test_IP, test_lat, test_lon, test_Country.
- this query produces lat, long, and country results.
3. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP test.test_Country
- this query produces exactly what I would expect to see....The "test_IP" field with IP addresses, "Unique_IP" field with the count of records per IP address, and "test_Country" showing the country the IP address originates from
The Problem: once I add a pipe "|" things stop working. Example:
1. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | table test.test_IP test.test_Country Unique_IP
- only shows the "Unique_IP" field and the results of that field and the IP address in the "test.test_IP" field
2. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | geostats latfield=test.lat longfield=lon globallimit=0
- this produces no "Statistics" and no "Visualization"
I greatly appreciate your time and thank you for your help with this!!
The tstats command, like stats, only includes in its results the fields that are used in that command. Therefore,
| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP
Only sends the Unique_IP and test.test_IP fields downstream to next command. That means there is no test.test_Country field for table to display.
The tstats command, like stats, only includes in its results the fields that are used in that command. Therefore,
| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP
Only sends the Unique_IP and test.test_IP fields downstream to next command. That means there is no test.test_Country field for table to display.
Rich,
I'm a little aggravated, but grateful that it was something so easy. A side questions.....Why would someone add a WHERE command and dollar signs before adding a pipe and geostats?
Thanks, again, for the help!!
| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ | geostats latfield=test.lat longfield=lon globallimit=0
Apologies, this is more accurate.
| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ test.lat test.lon | geostats latfield=test.lat longfield=lon globallimit=0
The where option applies conditions to tstats. In this case, count only the events with values matching $IP_INDEX$ and $IN_SRC$.
The $ characters denote a token. Tokens come from the inputs of the dashboard that houses the search.
Greatly appreciate the help with this!! Happy holidays to you and yours!!