Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Mapping by Zip code
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mapping by Zip code
When I am trying to map by Zipcode I get the stats table to genereate but when switching to geostats it takes 4 results from the stats table and makes it 39. Seems to be grouping by geobin instead of zip
Any ideas why this is happening?
index="indexA" servco_name="store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| geostats latfield=Lat longfield=Long Sum(Count)
index="IndexA" servco_name="Store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| Stats Sum(Count) by Zipcode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you might just be missing a "BY" clause...
index="indexA" servco_name="store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| geostats latfield=Lat longfield=Long Sum(Count) BY Zipcode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE:
index="indexA" servco_name="store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| stats Sum(Count) as Count by Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| geostats latfield=Lat longfield=Long values(Count) as Count values(Zipcode) as Zipcode
how about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I add that by Zipcode clause I still get more stats than events.
796 events, 344 stats when count by Zipcode but it create 1,427 map points using geostats
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is that wrong?
Do you want to count by each Zipcode?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to see number of events per Zipcode
This is how it show up with the geostats most of the geobins contains multiple zips.
geobin latitude longitude Zipcode
bin_id_zl_0_y_4_x_1 20.50500 -156.95500 96701
96740
bin_id_zl_0_y_5_x_1 35.54629 -108.64629 38637
50322
50613
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you check Zipcode lat and lon are right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this two searches or one? I also see that you're doing a sum of a count? Could you give some sample data and your desired output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is 2 searches The first one gives way extra results when mapping, the 2nd one gives the correct rollup.
I can't give the raw data due to privacy but in the data there is a field called zip_code, I use a lookup to get the lat and long associated with that zip and then want to map the events by zip.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
