Splunk Search
Highlighted

Can't make geostats return multiple locations

New Member

Hi,

I tried using the geostats feature. I got some logs where I have some network timings per client.
I wanted to show this in the map but it seems it only returns one location although multiple exists.

Here is my search:

host="xxxxxxxx" | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | geostats latfield=latitude longfield=longitude avg(rtt) by location

My log looks like this:

clientip=xxxxxxx serverip=xxxxxx servername=undefined clientname=xxxxx uri=someUrl reqL2bytes=3995 rspL2bytes=229412 status_code=200 tprocess=3676

This is what is returned:

geobin latitude longitude Location(the name of the site)

binidzl0y6x_4 xx yy 156.464.006

binidzl1y12x_8 xx yy 156.464.006

binidzl2y25x_17 xx yy 156.464.006

binidzl3y51x_34 xx yy 156.464.006

binidzl4y103x_68 xx yy 156.464.006

binidzl5y207x_136 xx yy 156.464.006

binidzl6y414x_273 xx yy 156.464.006

binidzl7y829x_547 xx yy 156.464.006

binidzl8y1659x_1094 xx yy 156.464.006

binidzl9y3318x_2189 xx yy 156.464.006

Location is the name of one of the sites.

So it only draws one location on the map. Anybody knows why I do not see both locations returned. If I run the command using stats avg(rtt) by location I get both locations.

Best Regards
Troels

Tags (1)
0 Karma
Highlighted

Re: Can't make geostats return multiple locations

Splunk Employee
Splunk Employee

What is the output of this command ...

host="xxxxxxxx" | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude

0 Karma
Highlighted

Re: Can't make geostats return multiple locations

New Member

Hi,

It does a lookup of the client_ip in a CSV and match aginst a scope using CIDR.

It then returns the subnet country city location latitude and longitude of that location. I used the latitude and longitude returned in the geostats - latfield=latitude longfield=longitude

But when I see then returned stats I only see one location in the header columns but there should be at least two in my demo.

geobin latitude longitude Location(the name of the site)

Best Regards
Troels

0 Karma
Highlighted

Re: Can't make geostats return multiple locations

Splunk Employee
Splunk Employee

Hi,

I get the problem that you are seeing, and understand what the csv lookup is doing.
But if you can share the output upto the lookup command (which is fed to geostats),
that will help understand the issue. You can try to obfuscate the non-essential fields.

Also did you look into the search inspector, for warnings or errors?

0 Karma
Highlighted

Re: Can't make geostats return multiple locations

New Member

Hi,

Is this what you are looking for, this comes from the events feed into the query before the lookup or what the lookup runs on I guess.

2013-10-10T14:45:33.193Z product myevent=web clientip=192.168.1.101 serverip=192.168.1.19 servername=VM-Server clientname=SomeLaptop uri=192.168.1.19/default.aspx reqL2bytes=4455 rspL2bytes=239354 statuscode=200 tprocess=1418 nprocess=121 rtt=107 reqrtos=0 rsprtos=0 referer=http://192.168.1.19/default.aspx?pg=100125&mn=100101

Sorry but couldn't post more log entries.

I don't see any errors in the inspector log.

Best Regards
Troels

0 Karma
Highlighted

Re: Can't make geostats return multiple locations

Splunk Employee
Splunk Employee

I am looking for the output after the lookup. that will tell what was the value of
location, latitude, longitude that your lookup "checkip" returned.

0 Karma
Highlighted

Re: Can't make geostats return multiple locations

New Member

Hi,

Today I got an error/warning:

.....found 5,799 matching events. However, the transforming commands in the highlighted portion of the following search: geostats latfield=latitude longfield=longitude avg(rtt) by location generated no results.

However you request returns this:

lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude

192.168.1.0/24 US New York NY Office 40.743355 -73.988127‎
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720‎

Best Regards
Troels

0 Karma
Highlighted

Re: Can't make geostats return multiple locations

Splunk Employee
Splunk Employee

partial information is not helping me completely
debug the issue. need the values of the rtt field,
since it is used in stats and geostats.

so. can you provide me just the output of the lookup, or
else...

.... | lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude rtt

tx.

0 Karma
Highlighted

Re: Can't make geostats return multiple locations

New Member

Here are some examples from using below command:

| lookup checkip subnet as client_ip OUTPUT subnet country city location latitude longitude | table subnet country city location latitude longitude rtt

192.168.1.0/24 US New York NY Office 40.743355 -73.988127‎ NaN
192.168.1.0/24 US New York NY Office 40.743355 -73.988127‎ 101.5
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720‎ 90
10.10.10.0/24 Germany Berlin Berlin VPN 52.520399 13.397720‎ 267

Let me know if that helps.

Best Regards
Troels

0 Karma