Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to separate query result by country
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following which provides me the total number of events for each minute and the predicted value as well as the residual for that time.
I want to break this up by Country, so for each client ip, do the same but separate them by each country.
Any idea how to start?
index=* sourcetype ="access_combined" clientip=*
| bin _time span=1m
| stats count AS perMin by _time
| timechart span=1m sum(perMin) AS Total
| predict Total as prediction algorithm=LLP future_timespan=5 holdback=0
| where prediction!="" AND Total!=""
| eval residual = prediction - Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this,
index=* sourcetype ="access_combined" clientip=*
| iplocation clientip
| bin _time span=1m
| stats count AS perMin by _time Country
| stats sum(perMin) AS Total by _time Country
| predict Total as prediction algorithm=LLP future_timespan=5 holdback=0
| where prediction!="" AND Total!=""
| eval residual = prediction - Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this,
index=* sourcetype ="access_combined" clientip=*
| iplocation clientip
| bin _time span=1m
| stats count AS perMin by _time Country
| stats sum(perMin) AS Total by _time Country
| predict Total as prediction algorithm=LLP future_timespan=5 holdback=0
| where prediction!="" AND Total!=""
| eval residual = prediction - Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I was looking for, thank you!
I was trying to use Timechart because I thought to use the Predict command, it had to be preceded by the Timechart command, in this case, stats worked just fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to iplocation command for populating country name based on clientip ....
Please modify your query as below
|makeresults |eval clientip = "136.168.3.2,119.56.76.89"|eval clientip = split(clientip , ",") |mvexpand clientip |iplocation clientip|bin _time span=1m |stats count as count1m by _time Country |eventstats sum(count1m) as total by _time
Happy Splunking !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not sure if that works? is there something wrong with my query ?
index=* sourcetype ="access_combined" clientip=*
|makeresults
|eval clientip = "136.168.3.2,119.56.76.89"
|eval clientip = split(clientip , ",")
|mvexpand clientip
|iplocation clientip
|bin _time span=1m
|stats count as count1m by _time Country
|eventstats sum(count1m) as total by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Corrected query
index=* sourcetype ="access_combined" clientip=*
|iplocation clientip
|bin _time span=1m
|stats count as count1m by _time Country
|eventstats sum(count1m) as total by _time
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
