Dashboards & Visualizations

TSTATS, Datamodel, and GEOSTATS issues

frog22
Explorer

I'm trying to eventually utilize the builtin GEOSTATS map to populate a simple map showing the number of IP addresses that hit my firewall from a specific country over a period of time.  Problem is, I cannot get anything to work related to GEOSTATS.  Hopefully, I can lay this out in a simple manor.....

Datamodel = test

   Extracted Fields: Client_IP (field within the log that the Originating IP address is extracted)

                                      test_IP (field alias points to this field, set as IPv4, is the "IP" field utilized within the GEO IP settings)

 

What works:

 1. Datamodel "test": Acceleration is on, status 100% complete,  and tstats commands can be used against this datamodel that produce the expected results

2. If I go into datamodel "test", under the GEO IP settings, select "Preview"....It populates with Lat, Long, & Country information

3. | datamodel test search | table Client_IP, test_IP, test_lat, test_lon, test_Country.      

- this query produces lat, long, and country results.

3. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP test.test_Country

- this query produces exactly what I would expect to see....The "test_IP" field with IP addresses, "Unique_IP" field with the count of records per IP address, and "test_Country" showing the country the IP address originates from

 

The Problem: once I add a pipe "|" things stop working.  Example:

1. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | table test.test_IP test.test_Country Unique_IP

- only shows the "Unique_IP" field and the results of that field and the IP address in the "test.test_IP" field

2. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | geostats latfield=test.lat longfield=lon globallimit=0

- this produces no "Statistics" and no "Visualization"

 

I greatly appreciate your time and thank you for your help with this!!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The tstats command, like stats, only includes in its results the fields that are used in that command.  Therefore, 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP 

Only sends the Unique_IP and test.test_IP fields downstream to next command.  That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The tstats command, like stats, only includes in its results the fields that are used in that command.  Therefore, 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP 

Only sends the Unique_IP and test.test_IP fields downstream to next command.  That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.
0 Karma

frog22
Explorer

Rich,

I'm a little aggravated, but grateful that it was something so easy.  A side questions.....Why would someone add a WHERE command and dollar signs before adding a pipe and geostats?

Thanks, again, for the help!!

 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ | geostats latfield=test.lat longfield=lon globallimit=0 

 

0 Karma

frog22
Explorer

Apologies, this is more accurate.

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ test.lat test.lon | geostats latfield=test.lat longfield=lon globallimit=0 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where option applies conditions to tstats.  In this case, count only the events with values matching $IP_INDEX$ and $IN_SRC$.

The $ characters denote a token.  Tokens come from the inputs of the dashboard that houses the search.

---
If this reply helps you, Karma would be appreciated.

frog22
Explorer

Greatly appreciate the help with this!!  Happy holidays to you and yours!!

 

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...