Splunk Search

Filter ip_city in timechart

gt2013
Engager

Yello,
Being new to Splunk and still amazed at its capabilities, I have this query and trying to filter out ip_city name 'OTHER' that keeps showing up:

source="/users/a/access" | localop | lookup geo ip as remoteip | search ip_city != "other" | timechart count by ip_city

No cigar 😕

Would anyone be able to help?
Thanks in advance.

0 Karma
1 Solution

lguinn2
Legend

Aha! I think the problem is that the timechart command sees more than 10 (the default number) of ip_city values, so it only shows the first 10 in the chart, and summarizes the remainder into an entry called "OTHER". That's why you can't eliminate it with your search! (nice try, tho!)

Take a look at the timechart command, and perhaps use the options to try it this way instead:

source="/users/a/access"  | localop 
| lookup geo ip as remoteip 
| timechart limit=0 count by ip_city

I hope that will work for you! If not, perhaps there is a different problem. In that case, you might try this first, just to see what you get...

source="/users/a/access"  | localop 
| lookup geo ip as remoteip 
| stats count by ip_city

View solution in original post

lguinn2
Legend

Aha! I think the problem is that the timechart command sees more than 10 (the default number) of ip_city values, so it only shows the first 10 in the chart, and summarizes the remainder into an entry called "OTHER". That's why you can't eliminate it with your search! (nice try, tho!)

Take a look at the timechart command, and perhaps use the options to try it this way instead:

source="/users/a/access"  | localop 
| lookup geo ip as remoteip 
| timechart limit=0 count by ip_city

I hope that will work for you! If not, perhaps there is a different problem. In that case, you might try this first, just to see what you get...

source="/users/a/access"  | localop 
| lookup geo ip as remoteip 
| stats count by ip_city

gkanapathy
Splunk Employee
Splunk Employee

or useother=false added to the timechart command if you only want the top 10.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...