Splunk Search

geostat is taking only one value from the lookup table


I'm trying to show the count of the number of hosts in an area using a cluster map.
I have added a lookup CSV file with the hostname, city belonging, lat, and long
But when I try the below query

index="*" | lookup host_loc.csv host| geostats  latfield="latitude" longfield="longitude" count by city

I get the output as
alt text

in visualization, it takes only one host linked to city Maynard and displays the details on the map
alt text

node0-zanzibar,Dallas,32.78306, -96.80667
node1-zanzibar,Cupertino,37.3229978, -122.0321823
a4109611-98b7-422e-a4aa-e8c8ab299b11,Maynard,38.58157, -121.4944

Is geostat linked to my IP? even though I change the city Maynard with the different hostname it is taking the count of that hostname only
It's weird can anyone explain why this is happening?

0 Karma

Super Champion

try :

    [| inputlookup host_loc.csv 
    | table host ] 
| geostats latfield="latitude" longfield="longitude" count by city
0 Karma


no, it is not working
even the count is also not showing

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!