Geostats with status and multiple fields

Splunk_rocks · ‎06-30-2019

Hello

Looking for some help for Geo stats command.

I have following fields showing splunk index time - name,host,State,region_id,longitude,latitude,info,geo,status (up/down value)
I need help to construct search query like with geostats showing maps.
Like host status down(RED)/up (Blue) with pie chart with info showing in maps.
All im trying to do is use Geostats command to show my fields info in maps.

some thing like below.

index=test  status="*"  | dedup host  | iplocation host| geostats latfield=latitude longfield=longitude count by status | eval redCount = if(status=Down, Down, 0) | eval greenCount = if(status=UP, TOTAL,0) | fields - TOTAL

memarshall63 · ‎06-30-2019

If you have a search that's generating a basic list of IP Address with a status. Something like this:

ip,status
"192.168.1.66",DOWN
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"54.239.18.122",UP
"77.247.110.78",UP
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"51.75.52.127",UP
"52.46.133.39",UP
"89.148.203.139",UP
"2001:506:7278:389::1",DOWN
"92.118.37.86",UP
"2001:506:7278:389::1",DOWN

and then you pipe that into this:

| dedup ip
| table ip status 
| iplocation ip 
| geostats count by status

You should end up with a table that when visualized as a geomap gives you piecharts that shows Up vs. Down.

https://imgur.com/i0jZ9C6

Geostats with status and multiple fields

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!