Hi,
I tried using the geostats feature. I got some logs where I have some network timings per client.
I wanted to show this in the map but it seems it only returns one location although multiple exists.
Here is my search:
host="xxxxxxxx" | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | geostats latfield=latitude longfield=longitude avg(rtt) by location
My log looks like this:
client_ip=xxxxxxx server_ip=xxxxxx server_name=undefined client_name=xxxxx uri=someUrl req_L2bytes=3995 rsp_L2bytes=229412 status_code=200 tprocess=3676
This is what is returned:
geobin latitude longitude Location(the name of the site)
bin_id_zl_0_y_6_x_4 xx yy 156.464.006
bin_id_zl_1_y_12_x_8 xx yy 156.464.006
bin_id_zl_2_y_25_x_17 xx yy 156.464.006
bin_id_zl_3_y_51_x_34 xx yy 156.464.006
bin_id_zl_4_y_103_x_68 xx yy 156.464.006
bin_id_zl_5_y_207_x_136 xx yy 156.464.006
bin_id_zl_6_y_414_x_273 xx yy 156.464.006
bin_id_zl_7_y_829_x_547 xx yy 156.464.006
bin_id_zl_8_y_1659_x_1094 xx yy 156.464.006
bin_id_zl_9_y_3318_x_2189 xx yy 156.464.006
Location is the name of one of the sites.
So it only draws one location on the map. Anybody knows why I do not see both locations returned. If I run the command using stats avg(rtt) by location I get both locations.
Best Regards
Troels
I am looking for the output after the lookup. that will tell what was the value of
location, latitude, longitude that your lookup "checkip" returned.
Here are some examples from using below command:
| lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude rtt
192.168.1.0/24 US New York NY Office 40.743355 -73.988127 NaN
192.168.1.0/24 US New York NY Office 40.743355 -73.988127 101.5
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720 90
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720 267
Let me know if that helps.
Best Regards
Troels
partial information is not helping me completely
debug the issue. need the values of the rtt field,
since it is used in stats and geostats.
so. can you provide me just the output of the lookup, or
else...
.... | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude rtt
tx.
Hi,
Today I got an error/warning:
.....found 5,799 matching events. However, the transforming commands in the highlighted portion of the following search: geostats latfield=latitude longfield=longitude avg(rtt) by location generated no results.
However you request returns this:
lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude
192.168.1.0/24 US New York NY Office 40.743355 -73.988127
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720
Best Regards
Troels
Hi,
I get the problem that you are seeing, and understand what the csv lookup is doing.
But if you can share the output upto the lookup command (which is fed to geostats),
that will help understand the issue. You can try to obfuscate the non-essential fields.
Also did you look into the search inspector, for warnings or errors?
Hi,
Is this what you are looking for, this comes from the events feed into the query before the lookup or what the lookup runs on I guess.
2013-10-10T14:45:33.193Z product my_event=web client_ip=192.168.1.101 server_ip=192.168.1.19 server_name=VM-Server client_name=SomeLaptop uri=192.168.1.19/default.aspx req_L2bytes=4455 rsp_L2bytes=239354 status_code=200 tprocess=1418 nprocess=121 rtt=107 req_rtos=0 rsp_rtos=0 referer=http://192.168.1.19/default.aspx?pg=100125&mn=100101
Sorry but couldn't post more log entries.
I don't see any errors in the inspector log.
Best Regards
Troels
What is the output of this command ...
host="xxxxxxxx" | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude
Hi,
It does a lookup of the client_ip in a CSV and match aginst a scope using CIDR.
It then returns the subnet country city location latitude and longitude of that location. I used the latitude and longitude returned in the geostats - latfield=latitude longfield=longitude
But when I see then returned stats I only see one location in the header columns but there should be at least two in my demo.
geobin latitude longitude Location(the name of the site)
Best Regards
Troels