hi
I use the search below in order to display markers on a map
As you can see, I use a join command in order to cross events by site between the lookup and the search
index=toto sourcetype=tutu
| stats count as PbPerf by site sam
| search PbPerf > 10
| stats dc(sam) as nbsam by site
| where isnotnull(site)
| join type=left site
[| inputlookup BpLtLg.csv
| rename siteName as site
| fields site latitude longitude ]
| table site nbsam latitude longitude
| geostats latfield=latitude longfield=longitude globallimit=0 count(nbsam)
But the problem is that I have a difference between the marker displayed on the map and the reality
For example, If I do a focus on a specific site like MONTE CARLO, I have 10 events
But on the map, I just have 2 markers in this area with a count equal to 6 instead 10 even if I play with the zoom
so i understand nothing
Is it possible that this issue comes from the joind command?
If yes, is there another solution to improve my search?
thanks
Does this work for you?
| geostats latfield=latitude longfield=longitude globallimit=0 sum(nbsam)
Rather than join + inputlookup, try lookup
index=toto sourcetype=tutu
| stats count as PbPerf by site sam
| search PbPerf > 10
| stats dc(sam) as nbsam by site
| where isnotnull(site)
| lookup BpLtLg.csv siteName AS site OUTPUT latitude longitude
| table site nbsam latitude longitude
| geostats latfield=latitude longfield=longitude globallimit=0 count(nbsam)
perfect it's better without join!
but I have the same issue
I f I have a look for a specificic site like MONTE CARLO, you cans see that I found 11 events
so why in this area I found only 2 markers correso
ponding to 6 events instead 12?
Does this work for you?
| geostats latfield=latitude longfield=longitude globallimit=0 sum(nbsam)
it's better now, you are the best!