Geostats with status and multiple fields

Splunk_rocks · ‎06-30-2019

Hello

Looking for some help for Geo stats command.

I have following fields showing splunk index time - name,host,State,region_id,longitude,latitude,info,geo,status (up/down value)
I need help to construct search query like with geostats showing maps.
Like host status down(RED)/up (Blue) with pie chart with info showing in maps.
All im trying to do is use Geostats command to show my fields info in maps.

some thing like below.

index=test  status="*"  | dedup host  | iplocation host| geostats latfield=latitude longfield=longitude count by status | eval redCount = if(status=Down, Down, 0) | eval greenCount = if(status=UP, TOTAL,0) | fields - TOTAL

memarshall63 · ‎06-30-2019

If you have a search that's generating a basic list of IP Address with a status. Something like this:

ip,status
"192.168.1.66",DOWN
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"54.239.18.122",UP
"77.247.110.78",UP
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"2001:506:7278:389::1",DOWN
"51.75.52.127",UP
"52.46.133.39",UP
"89.148.203.139",UP
"2001:506:7278:389::1",DOWN
"92.118.37.86",UP
"2001:506:7278:389::1",DOWN

and then you pipe that into this:

| dedup ip
| table ip status 
| iplocation ip 
| geostats count by status

You should end up with a table that when visualized as a geomap gives you piecharts that shows Up vs. Down.

https://imgur.com/i0jZ9C6

Geostats with status and multiple fields

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Geostats with status and multiple fields

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES