Splunk Search

Why can't I get geostats in Splunk 6.3 to create a map from latitude and longitude values extracted in a search?

New Member

Using Splunk 6.3

I have a search that extracts from JSON from a log entry (packed as log4j), then rex out a Lat Long from one of the fields.

index = "production" DeviceLocation | rex "(?<json_data>{.*)" | spath input=json_data | rex field=DeviceLocation "(?<latitude>.*)/(?<longitude>.*)"

The this leaves me with two values: a latitude and longitude as a field, however, I can't get it to create a map using geostats.

index = "production" DeviceLocation | rex "(?<json_data>{.*)" | spath input=json_data | rex field=DeviceLocation "(?<latitude>.*)/(?<longitude>.*)"|geostats latfield=latitude longfield=longitude count

Every time I run the search, I only get "No results found."

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Based on your comment, it looks like Splunk doesn't parse the latitude correctly where you have a + in your field. Try the following query that strips away the +

... | rex field=DeviceLocation "\+?(?<latitude>[0-9.-]*)/\+?(?<longitude>[0-9.-]*)" |geostats latfield=latitude longfield=longitude count

View solution in original post

Splunk Employee
Splunk Employee

Based on your comment, it looks like Splunk doesn't parse the latitude correctly where you have a + in your field. Try the following query that strips away the +

... | rex field=DeviceLocation "\+?(?<latitude>[0-9.-]*)/\+?(?<longitude>[0-9.-]*)" |geostats latfield=latitude longfield=longitude count

View solution in original post

New Member

_time,host,source,sourcetype,DeviceLocation
11/16/15 5:29:58.148 PM,hostnameChanged,/path/to/the/files,log4j,+37.32/-112.03

The second rex breaks them out alright into latitude and longitude...I think im missing something obvious

0 Karma

Splunk Employee
Splunk Employee

The query looks right. Would you be able to post an excerpt of a CSV export of your data before you use the second rex? Feel free to scrub it if it contains sensitive data

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!