Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Mapping by Zip code

ryankrieger
Loves-to-Learn
‎01-24-2020 08:40 AM

When I am trying to map by Zipcode I get the stats table to genereate but when switching to geostats it takes 4 results from the stats table and makes it 39. Seems to be grouping by geobin instead of zip

Any ideas why this is happening?

index="indexA" servco_name="store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code  Zipcode OUTPUT Lat Long
| geostats latfield=Lat longfield=Long  Sum(Count)

index="IndexA" servco_name="Store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code  Zipcode OUTPUT Lat Long
| Stats Sum(Count) by Zipcode
0 Karma
Reply

mydog8it
Builder
‎01-24-2020 12:38 PM

I think you might just be missing a "BY" clause...

 index="indexA" servco_name="store*" servtype_id="CFAIL"
 | rename zip_code as Zipcode
 | lookup zip_code  Zipcode OUTPUT Lat Long
 | geostats latfield=Lat longfield=Long  Sum(Count) BY Zipcode
0 Karma
Reply

to4kawa
Ultra Champion
‎01-24-2020 12:35 PM

UPDATE:

index="indexA" servco_name="store*" servtype_id="CFAIL"
 | rename zip_code as Zipcode
 | stats Sum(Count)  as Count by Zipcode
 | lookup zip_code  Zipcode OUTPUT Lat Long
 | geostats latfield=Lat longfield=Long  values(Count) as Count  values(Zipcode) as Zipcode

how about this?

0 Karma
Reply

ryankrieger
Loves-to-Learn
‎01-24-2020 12:49 PM

When I add that by Zipcode clause I still get more stats than events.

796 events, 344 stats when count by Zipcode but it create 1,427 map points using geostats

0 Karma
Reply

to4kawa
Ultra Champion
‎01-24-2020 01:07 PM

is that wrong?
Do you want to count by each Zipcode?

0 Karma
Reply

ryankrieger
Loves-to-Learn
‎01-24-2020 01:37 PM

I would like to see number of events per Zipcode
This is how it show up with the geostats most of the geobins contains multiple zips.

geobin latitude longitude Zipcode
bin_id_zl_0_y_4_x_1 20.50500 -156.95500 96701
96740

bin_id_zl_0_y_5_x_1 35.54629 -108.64629 38637
50322

50613

0 Karma
Reply

to4kawa
Ultra Champion
‎01-24-2020 01:45 PM

Do you check Zipcode lat and lon are right?

0 Karma
Reply

cdhippen
Path Finder
‎01-24-2020 12:32 PM

Is this two searches or one? I also see that you're doing a sum of a count? Could you give some sample data and your desired output?

0 Karma
Reply

ryankrieger
Loves-to-Learn
‎01-24-2020 12:56 PM

this is 2 searches The first one gives way extra results when mapping, the 2nd one gives the correct rollup.

I can't give the raw data due to privacy but in the data there is a field called zip_code, I use a lookup to get the lat and long associated with that zip and then want to map the events by zip.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top