Solved: regroup items in cluster map

sweiland · ‎02-15-2021

Hi there,

Just a quick question on the cluster map that is not really displaying what we are aiming for...

We have a simple query which is then piped to iplocation then geostats as this:

query | iplocation myIP | geostats count by Country globallimit=0

We are trying to "regroup" items by Country, as it may seem obvious, but it is more difficult than expected.

Here is an example of the output (guess geobin/lat/lon is messing with us):

Blue canada is splitted into 2 locations, and USA in at least 4, we would like to have a cluster more or less like the chloromap.

If we count by Country before geostats, it shows the expected result (in a table), but if we apply geostats it is splitted by location, any way to circumvent this ?

We tried to use another iplocation prefix, and geostats count by myCountry, does not work either 😞

sweiland · ‎02-17-2021

Found the solution by using a lookup file

Idea is to stats count by country, and then lookup the latitude/longitude on the aggregated results, then pipe to geostats

Works well

View solution in original post

sweiland · ‎02-17-2021

Found the solution by using a lookup file

Idea is to stats count by country, and then lookup the latitude/longitude on the aggregated results, then pipe to geostats

Works well

regroup items in cluster map

saved search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor