Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

geostats sorting

sf_user_199
Path Finder
‎02-27-2014 01:18 PM

I have a geostats map that is powered by this query:

| stats count by src,http_user_agent | iplocation src | geostats sum(count) by http_user_agent

I intentionally wanted to have a global limit of 20, and set that via XML.

My problem is that instead of showing the top 20 values, the map instead sorts alphabetically. I'd like the command to function more like the top command.

Any suggestions?

0 Karma
Reply

briancronrath
Contributor
‎05-15-2017 11:28 PM

Unfortunately a clean option doesn't really exist, really wish we could just specify limit and sorting per the "bins". There is a different option that the above mentioned workaround of naming the field, which is to use a locallimit. You can set globallimit=0 to have no globallimit, but have locallimit=20 so that the top 20 values per "map view area" are displayed. What I mean by this, is that if you zoom in, and start scrolling around, based on all the data showing up on your current map area, you will get the top 20 values for that map area as a whole.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-06-2014 01:04 PM

There is a workaround by creating an intermediary new field with the number followed by the http_user_agent, and it will then be sorted alphabetically, but starting with the count. It will require to use a stats and preserve the lat and lon, then use the sum(count) instead of count.


<mysearch> | iplocation src_ip | stats count values(lon) AS lon values(lat) AS lat by http_user_agent | eval SortingField=count."-".http_user_agent | geostats sum(count) by SortingField

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...