Splunk Search

Geostats not giving count

kavyatim
Path Finder

Hi I am trying to plot count of faults by location on gmaps,
Query i am using is as below :
source="geo.csv" | table city,latitude,longitude|eval CITY=upper(city) | table CITY,latitude,longitude | rename CITY as Localidade | join Localidade [search
source="Areas para CNL .csv"] | table Localidade,AT,latitude,longitude | rename AT as AREA| join AREA [search source="/TEF_BRAZIL/base_bds_adslnew3.txt"] | table
N_BD,AREA,Localidade,latitude,longitude | geostats latfield=latitude longfield=longitude count(N_BD) by Localidade

but it giving me the below error:
split by field Localidade has large number of unique values 564 . Chart column set will be trimmed to 10. Use globallimit argument to control column count

Can any one correct me in getting right results.

Thanking you

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

This is not an error, but a warning. It is telling you that you have many unique values for the Localidade field. geostats is computing a count for each of the values of Localidade in addition to considering the lat/long. It is not possible for geostats to display that many statistics, so it has chosen only the 10 top Localidade values to display.

You can fix this in one of two ways:

Option 1) Set the globallimit field as suggested

source="geo.csv" 
| eval Localidade=upper(city) 
| table Localidade,latitude,longitude
| join Localidade  [search source="Areas para CNL .csv" ] 
| table Localidade,AT,latitude,longitude 
| rename AT as AREA
| join AREA [search source="/TEF_BRAZIL/base_bds_adslnew3.txt" ] 
| table N_BD, AREA,Localidade,latitude,longitude 
| geostats latfield=latitude longfield=longitude  count(N_BD) by Localidade globallimit=10

Option 2) Reconsider your search. First, what are you counting? The statistic count(N_BD) is the count of the number of events that have a value in the N_DB field. Second, the geostats command will group the data by lat/long - since the Localidade field is just another way to define the place, you should be able to omit it. Perhaps you would prefer this:

source="geo.csv"  | fields city latitude longitude
| eval Localidade=upper(city) 
| join Localidade  [search source="Areas para CNL .csv" | fields AT ] 
| rename AT as AREA
| join AREA [search source="/TEF_BRAZIL/base_bds_adslnew3.txt" | fields N_BD ] 
| geostats latfield=latitude longfield=longitude  count(N_BD) 

View solution in original post

lguinn2
Legend

This is not an error, but a warning. It is telling you that you have many unique values for the Localidade field. geostats is computing a count for each of the values of Localidade in addition to considering the lat/long. It is not possible for geostats to display that many statistics, so it has chosen only the 10 top Localidade values to display.

You can fix this in one of two ways:

Option 1) Set the globallimit field as suggested

source="geo.csv" 
| eval Localidade=upper(city) 
| table Localidade,latitude,longitude
| join Localidade  [search source="Areas para CNL .csv" ] 
| table Localidade,AT,latitude,longitude 
| rename AT as AREA
| join AREA [search source="/TEF_BRAZIL/base_bds_adslnew3.txt" ] 
| table N_BD, AREA,Localidade,latitude,longitude 
| geostats latfield=latitude longfield=longitude  count(N_BD) by Localidade globallimit=10

Option 2) Reconsider your search. First, what are you counting? The statistic count(N_BD) is the count of the number of events that have a value in the N_DB field. Second, the geostats command will group the data by lat/long - since the Localidade field is just another way to define the place, you should be able to omit it. Perhaps you would prefer this:

source="geo.csv"  | fields city latitude longitude
| eval Localidade=upper(city) 
| join Localidade  [search source="Areas para CNL .csv" | fields AT ] 
| rename AT as AREA
| join AREA [search source="/TEF_BRAZIL/base_bds_adslnew3.txt" | fields N_BD ] 
| geostats latfield=latitude longfield=longitude  count(N_BD) 

SanthoshSreshta
Contributor

Hi.

How to get count of some_column="AAA" in geostats command..
help please?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...