Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Geostats returning the same lat lon for all events

ccsfdave
Builder
‎07-15-2016 01:12 PM

Greetings,

Prior to getting a stream of this data next week, I am preparing with some CSV lookups. I have two files right now, the sample data from an access point and a lookup of the AP's name and the lat lon

Client Username,Client IP Address,Client MAC Address,Association Time,Vendor,AP Name,Radio Type,Device Name,Map Location,SSID,Profile,VLAN ID,Protocol,Session Duration,Policy Type,Avg. Session Throughput (Kbps)

,10.x.x.x,z:z:z:z:z:z,Fri Jun 24 17:09:26 PDT 2016,Apple,AP0000-street&avenue0,802.11a/n/ac,SVN-WLC-HDWIFI,System Campus > HDWIFI > HDWIFI-POD4,#cityWiFi,#cityWiFi,254,802.11n(5GHz),5min 12sec,NOTAVAILABLE,<0.1

so that's the data, below is the lookup

AP Name,lat,lon
AP0000-street&avenue0,37.697842, -123.000534

This search yields the right results:

| inputcsv StreetAP |join "AP Name" [|inputcsv StreetAPtable]|rename "AP Name" as apname|stats count by apname lat lon

results:

apname  lat lon count
AP0000-street&avenue0   37.697842, -123.000534  221

This search yields all the same lat/lon

| inputcsv MarketAP |join "AP Name" [|inputcsv MarketAPtable]|rename "AP Name" as apname|geostats latfield=lat longfield=lon `count by apname

Where have I gone wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

craigv_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 01:15 PM

How close are the coordinates together? The geostats command groups the latitudes and longitudes into bins for easy visualization. You may have to edit binspanlat and binspanlong attributes to the geostats command to ensure that multiple location don't get consolidated into one because they are close to each other

View solution in original post

Reply
Solved! Jump to solution

dhirendra761
Contributor
‎12-04-2018 01:08 AM

This app will be helpful:
https://splunkbase.splunk.com/app/3124/

0 Karma
Reply
Solved! Jump to solution
Solution

craigv_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 01:15 PM

How close are the coordinates together? The geostats command groups the latitudes and longitudes into bins for easy visualization. You may have to edit binspanlat and binspanlong attributes to the geostats command to ensure that multiple location don't get consolidated into one because they are close to each other

Reply
Solved! Jump to solution

ccsfdave
Builder
‎07-21-2016 10:53 AM

@craigv

I finally had a chance to test this and though I need to change the map, I can see in the table that the lat/lon is changing and thus I think this did the trick

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎07-19-2016 01:19 PM

Oh...yeah they are each a small city block (1/10 mi) from each other

0 Karma
Reply
Solved! Jump to solution

craigv_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 01:41 PM

Yes so in that case you will want to reduce binspanlat and binspanlong to the extent practicable. i would half each of them until you get something that works. You also might find that the splunk tiles can't zoom in that much. In that case you might have to use an alternate tile server for the maps.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...