Splunk Search

Can't make geostats return multiple locations

TroelsJensen
New Member

Hi,

I tried using the geostats feature. I got some logs where I have some network timings per client.
I wanted to show this in the map but it seems it only returns one location although multiple exists.

Here is my search:

host="xxxxxxxx" | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | geostats latfield=latitude longfield=longitude avg(rtt) by location

My log looks like this:

client_ip=xxxxxxx server_ip=xxxxxx server_name=undefined client_name=xxxxx uri=someUrl req_L2bytes=3995 rsp_L2bytes=229412 status_code=200 tprocess=3676

This is what is returned:

geobin latitude longitude Location(the name of the site)

bin_id_zl_0_y_6_x_4 xx yy 156.464.006

bin_id_zl_1_y_12_x_8 xx yy 156.464.006

bin_id_zl_2_y_25_x_17 xx yy 156.464.006

bin_id_zl_3_y_51_x_34 xx yy 156.464.006

bin_id_zl_4_y_103_x_68 xx yy 156.464.006

bin_id_zl_5_y_207_x_136 xx yy 156.464.006

bin_id_zl_6_y_414_x_273 xx yy 156.464.006

bin_id_zl_7_y_829_x_547 xx yy 156.464.006

bin_id_zl_8_y_1659_x_1094 xx yy 156.464.006

bin_id_zl_9_y_3318_x_2189 xx yy 156.464.006

Location is the name of one of the sites.

So it only draws one location on the map. Anybody knows why I do not see both locations returned. If I run the command using stats avg(rtt) by location I get both locations.

Best Regards
Troels

Tags (1)
0 Karma

arahut_splunk
Splunk Employee
Splunk Employee

I am looking for the output after the lookup. that will tell what was the value of
location, latitude, longitude that your lookup "checkip" returned.

0 Karma

TroelsJensen
New Member

Here are some examples from using below command:

| lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude rtt

192.168.1.0/24 US New York NY Office 40.743355 -73.988127‎ NaN
192.168.1.0/24 US New York NY Office 40.743355 -73.988127‎ 101.5
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720‎ 90
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720‎ 267

Let me know if that helps.

Best Regards
Troels

0 Karma

arahut_splunk
Splunk Employee
Splunk Employee

partial information is not helping me completely
debug the issue. need the values of the rtt field,
since it is used in stats and geostats.

so. can you provide me just the output of the lookup, or
else...

.... | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude rtt

tx.

0 Karma

TroelsJensen
New Member

Hi,

Today I got an error/warning:

.....found 5,799 matching events. However, the transforming commands in the highlighted portion of the following search: geostats latfield=latitude longfield=longitude avg(rtt) by location generated no results.

However you request returns this:

lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude

192.168.1.0/24 US New York NY Office 40.743355 -73.988127‎
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720‎

Best Regards
Troels

0 Karma

arahut_splunk
Splunk Employee
Splunk Employee

Hi,

I get the problem that you are seeing, and understand what the csv lookup is doing.
But if you can share the output upto the lookup command (which is fed to geostats),
that will help understand the issue. You can try to obfuscate the non-essential fields.

Also did you look into the search inspector, for warnings or errors?

0 Karma

TroelsJensen
New Member

Hi,

Is this what you are looking for, this comes from the events feed into the query before the lookup or what the lookup runs on I guess.

2013-10-10T14:45:33.193Z product my_event=web client_ip=192.168.1.101 server_ip=192.168.1.19 server_name=VM-Server client_name=SomeLaptop uri=192.168.1.19/default.aspx req_L2bytes=4455 rsp_L2bytes=239354 status_code=200 tprocess=1418 nprocess=121 rtt=107 req_rtos=0 rsp_rtos=0 referer=http://192.168.1.19/default.aspx?pg=100125&mn=100101

Sorry but couldn't post more log entries.

I don't see any errors in the inspector log.

Best Regards
Troels

0 Karma

arahut_splunk
Splunk Employee
Splunk Employee

What is the output of this command ...

host="xxxxxxxx" | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude

0 Karma

TroelsJensen
New Member

Hi,

It does a lookup of the client_ip in a CSV and match aginst a scope using CIDR.

It then returns the subnet country city location latitude and longitude of that location. I used the latitude and longitude returned in the geostats - latfield=latitude longfield=longitude

But when I see then returned stats I only see one location in the header columns but there should be at least two in my demo.

geobin latitude longitude Location(the name of the site)

Best Regards
Troels

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...