geostats sorting

sf_user_199 · ‎02-27-2014

I have a geostats map that is powered by this query:

| stats count by src,http_user_agent | iplocation src | geostats sum(count) by http_user_agent

I intentionally wanted to have a global limit of 20, and set that via XML.

My problem is that instead of showing the top 20 values, the map instead sorts alphabetically. I'd like the command to function more like the top command.

Any suggestions?

briancronrath · ‎05-15-2017

Unfortunately a clean option doesn't really exist, really wish we could just specify limit and sorting per the "bins". There is a different option that the above mentioned workaround of naming the field, which is to use a locallimit. You can set globallimit=0 to have no globallimit, but have locallimit=20 so that the top 20 values per "map view area" are displayed. What I mean by this, is that if you zoom in, and start scrolling around, based on all the data showing up on your current map area, you will get the top 20 values for that map area as a whole.

yannK · ‎08-06-2014

There is a workaround by creating an intermediary new field with the number followed by the http_user_agent, and it will then be sorted alphabetically, but starting with the count. It will require to use a stats and preserve the lat and lon, then use the sum(count) instead of count.

<mysearch> | iplocation src_ip | stats count values(lon) AS lon values(lat) AS lat by http_user_agent | eval SortingField=count."-".http_user_agent | geostats sum(count) by SortingField

geostats sorting

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...