geostat is taking only one value from the lookup t...

gwtm_hak · ‎08-12-2019

I'm trying to show the count of the number of hosts in an area using a cluster map.
I have added a lookup CSV file with the hostname, city belonging, lat, and long
But when I try the below query

index="*" | lookup host_loc.csv host| geostats  latfield="latitude" longfield="longitude" count by city

I get the output as

in visualization, it takes only one host linked to city Maynard and displays the details on the map

host,city,latitude,longitude
node0-zanzibar,Dallas,32.78306, -96.80667
node1-zanzibar,Cupertino,37.3229978, -122.0321823
9279ad97-ccd3-4f22-a10b-e6bec987af5f,Sacramento,42.4334269,-71.449507
a4109611-98b7-422e-a4aa-e8c8ab299b11,Maynard,38.58157, -121.4944

Is geostat linked to my IP? even though I change the city Maynard with the different hostname it is taking the count of that hostname only
It's weird can anyone explain why this is happening?

mayurr98 · ‎08-12-2019

try :

index="*" 
    [| inputlookup host_loc.csv 
    | table host ] 
| geostats latfield="latitude" longfield="longitude" count by city

gwtm_hak · ‎08-12-2019

no, it is not working
even the count is also not showing

geostat is taking only one value from the lookup table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms