Dashboards & Visualizations

TSTATS, Datamodel, and GEOSTATS issues

frog22
Explorer

I'm trying to eventually utilize the builtin GEOSTATS map to populate a simple map showing the number of IP addresses that hit my firewall from a specific country over a period of time.  Problem is, I cannot get anything to work related to GEOSTATS.  Hopefully, I can lay this out in a simple manor.....

Datamodel = test

   Extracted Fields: Client_IP (field within the log that the Originating IP address is extracted)

                                      test_IP (field alias points to this field, set as IPv4, is the "IP" field utilized within the GEO IP settings)

 

What works:

 1. Datamodel "test": Acceleration is on, status 100% complete,  and tstats commands can be used against this datamodel that produce the expected results

2. If I go into datamodel "test", under the GEO IP settings, select "Preview"....It populates with Lat, Long, & Country information

3. | datamodel test search | table Client_IP, test_IP, test_lat, test_lon, test_Country.      

- this query produces lat, long, and country results.

3. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP test.test_Country

- this query produces exactly what I would expect to see....The "test_IP" field with IP addresses, "Unique_IP" field with the count of records per IP address, and "test_Country" showing the country the IP address originates from

 

The Problem: once I add a pipe "|" things stop working.  Example:

1. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | table test.test_IP test.test_Country Unique_IP

- only shows the "Unique_IP" field and the results of that field and the IP address in the "test.test_IP" field

2. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | geostats latfield=test.lat longfield=lon globallimit=0

- this produces no "Statistics" and no "Visualization"

 

I greatly appreciate your time and thank you for your help with this!!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The tstats command, like stats, only includes in its results the fields that are used in that command.  Therefore, 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP 

Only sends the Unique_IP and test.test_IP fields downstream to next command.  That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The tstats command, like stats, only includes in its results the fields that are used in that command.  Therefore, 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP 

Only sends the Unique_IP and test.test_IP fields downstream to next command.  That means there is no test.test_Country field for table to display.

---
If this reply helps you, Karma would be appreciated.
0 Karma

frog22
Explorer

Rich,

I'm a little aggravated, but grateful that it was something so easy.  A side questions.....Why would someone add a WHERE command and dollar signs before adding a pipe and geostats?

Thanks, again, for the help!!

 

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ | geostats latfield=test.lat longfield=lon globallimit=0 

 

0 Karma

frog22
Explorer

Apologies, this is more accurate.

| tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP WHERE $IP_INDEX$ $IN_SRC$ test.lat test.lon | geostats latfield=test.lat longfield=lon globallimit=0 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The where option applies conditions to tstats.  In this case, count only the events with values matching $IP_INDEX$ and $IN_SRC$.

The $ characters denote a token.  Tokens come from the inputs of the dashboard that houses the search.

---
If this reply helps you, Karma would be appreciated.

frog22
Explorer

Greatly appreciate the help with this!!  Happy holidays to you and yours!!

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...