Solved: How do you use the where clause in a cluster map?

everynameIwanti · ‎11-21-2018

I'm trying to make a cluster map in Splunk by their IP address.

I grouped the IP by id number, and I want to only show the cluster which each an ID has more than 3 IP addressess.

I have the following code:

index="xxx"  id != "-"  | iplocation ip | geostats dc(ip) by id

And I tried to make a variable name for dc(ip) (like dc(ip) as ipCount) so that I can use it in the where clause (where ipCount > 3), but unfortunately geostats doesn't allow me to rename.

Does anybody know how or where to add a where clause or is there another way of making the map?

Thank you

adonio · ‎11-21-2018

without testing, maybe something along those lines:

 index="xxx" id != "-" 
| eventstats dc(ip) as unique_ips by id 
| where unique_ips > 3
| iplocation ip | geostats max(unique_ips)  by id

hope it helps

View solution in original post

adonio · ‎11-21-2018

without testing, maybe something along those lines:

 index="xxx" id != "-" 
| eventstats dc(ip) as unique_ips by id 
| where unique_ips > 3
| iplocation ip | geostats max(unique_ips)  by id

hope it helps

How do you use the where clause in a cluster map?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How do you use the where clause in a cluster map?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey