Solved: How do you use the where clause in a cluster map?

everynameIwanti · ‎11-21-2018

I'm trying to make a cluster map in Splunk by their IP address.

I grouped the IP by id number, and I want to only show the cluster which each an ID has more than 3 IP addressess.

I have the following code:

index="xxx"  id != "-"  | iplocation ip | geostats dc(ip) by id

And I tried to make a variable name for dc(ip) (like dc(ip) as ipCount) so that I can use it in the where clause (where ipCount > 3), but unfortunately geostats doesn't allow me to rename.

Does anybody know how or where to add a where clause or is there another way of making the map?

Thank you

adonio · ‎11-21-2018

without testing, maybe something along those lines:

 index="xxx" id != "-" 
| eventstats dc(ip) as unique_ips by id 
| where unique_ips > 3
| iplocation ip | geostats max(unique_ips)  by id

hope it helps

View solution in original post

adonio · ‎11-21-2018

without testing, maybe something along those lines:

 index="xxx" id != "-" 
| eventstats dc(ip) as unique_ips by id 
| where unique_ips > 3
| iplocation ip | geostats max(unique_ips)  by id

hope it helps

How do you use the where clause in a cluster map?

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?

How do you use the where clause in a cluster map?

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler