Solved: TSTATS, Datamodel, and GEOSTATS issues

frog22 · ‎12-18-2020

I'm trying to eventually utilize the builtin GEOSTATS map to populate a simple map showing the number of IP addresses that hit my firewall from a specific country over a period of time. Problem is, I cannot get anything to work related to GEOSTATS. Hopefully, I can lay this out in a simple manor.....

Datamodel = test

Extracted Fields: Client_IP (field within the log that the Originating IP address is extracted)

test_IP (field alias points to this field, set as IPv4, is the "IP" field utilized within the GEO IP settings)

What works:

1. Datamodel "test": Acceleration is on, status 100% complete, and tstats commands can be used against this datamodel that produce the expected results

2. If I go into datamodel "test", under the GEO IP settings, select "Preview"....It populates with Lat, Long, & Country information

3. | datamodel test search | table Client_IP, test_IP, test_lat, test_lon, test_Country.

- this query produces lat, long, and country results.

3. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP test.test_Country

- this query produces exactly what I would expect to see....The "test_IP" field with IP addresses, "Unique_IP" field with the count of records per IP address, and "test_Country" showing the country the IP address originates from

The Problem: once I add a pipe "|" things stop working. Example:

1. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | table test.test_IP test.test_Country Unique_IP

- only shows the "Unique_IP" field and the results of that field and the IP address in the "test.test_IP" field

2. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | geostats latfield=test.lat longfield=lon globallimit=0

- this produces no "Statistics" and no "Visualization"

I greatly appreciate your time and thank you for your help with this!!

richgalloway · ‎12-18-2020

The tstats command, like stats, only includes in its results the fields that are used in that command. Therefore,

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP

Only sends the Unique_IP and test.test_IP fields downstream to next command. That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-18-2020

The tstats command, like stats, only includes in its results the fields that are used in that command. Therefore,

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP

Only sends the Unique_IP and test.test_IP fields downstream to next command. That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.

frog22 · ‎12-18-2020

Rich,

I'm a little aggravated, but grateful that it was something so easy. A side questions.....Why would someone add a WHERE command and dollar signs before adding a pipe and geostats?

Thanks, again, for the help!!

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ | geostats latfield=test.lat longfield=lon globallimit=0

frog22 · ‎12-18-2020

Apologies, this is more accurate.

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ test.lat test.lon | geostats latfield=test.lat longfield=lon globallimit=0

richgalloway · ‎12-18-2020

The where option applies conditions to tstats. In this case, count only the events with values matching $IP_INDEX$ and $IN_SRC$.

The $ characters denote a token. Tokens come from the inputs of the dashboard that houses the search.

---
If this reply helps you, Karma would be appreciated.

frog22 · ‎12-24-2020

Greatly appreciate the help with this!! Happy holidays to you and yours!!

TSTATS, Datamodel, and GEOSTATS issues

chart

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting