Splunk Search

geostats sorting

sf_user_199
Path Finder

I have a geostats map that is powered by this query:

| stats count by src,http_user_agent | iplocation src | geostats sum(count) by http_user_agent

I intentionally wanted to have a global limit of 20, and set that via XML.

My problem is that instead of showing the top 20 values, the map instead sorts alphabetically. I'd like the command to function more like the top command.

Any suggestions?

0 Karma

briancronrath
Contributor

Unfortunately a clean option doesn't really exist, really wish we could just specify limit and sorting per the "bins". There is a different option that the above mentioned workaround of naming the field, which is to use a locallimit. You can set globallimit=0 to have no globallimit, but have locallimit=20 so that the top 20 values per "map view area" are displayed. What I mean by this, is that if you zoom in, and start scrolling around, based on all the data showing up on your current map area, you will get the top 20 values for that map area as a whole.

0 Karma

yannK
Splunk Employee
Splunk Employee

There is a workaround by creating an intermediary new field with the number followed by the http_user_agent, and it will then be sorted alphabetically, but starting with the count. It will require to use a stats and preserve the lat and lon, then use the sum(count) instead of count.


<mysearch> | iplocation src_ip | stats count values(lon) AS lon values(lat) AS lat by http_user_agent | eval SortingField=count."-".http_user_agent | geostats sum(count) by SortingField

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...