Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

geostats sorting

sf_user_199
Path Finder
‎02-27-2014 01:18 PM

I have a geostats map that is powered by this query:

| stats count by src,http_user_agent | iplocation src | geostats sum(count) by http_user_agent

I intentionally wanted to have a global limit of 20, and set that via XML.

My problem is that instead of showing the top 20 values, the map instead sorts alphabetically. I'd like the command to function more like the top command.

Any suggestions?

0 Karma
Reply

briancronrath
Contributor
‎05-15-2017 11:28 PM

Unfortunately a clean option doesn't really exist, really wish we could just specify limit and sorting per the "bins". There is a different option that the above mentioned workaround of naming the field, which is to use a locallimit. You can set globallimit=0 to have no globallimit, but have locallimit=20 so that the top 20 values per "map view area" are displayed. What I mean by this, is that if you zoom in, and start scrolling around, based on all the data showing up on your current map area, you will get the top 20 values for that map area as a whole.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-06-2014 01:04 PM

There is a workaround by creating an intermediary new field with the number followed by the http_user_agent, and it will then be sorted alphabetically, but starting with the count. It will require to use a stats and preserve the lat and lon, then use the sum(count) instead of count.


<mysearch> | iplocation src_ip | stats count values(lon) AS lon values(lat) AS lat by http_user_agent | eval SortingField=count."-".http_user_agent | geostats sum(count) by SortingField

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...