Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

geostats sorting

sf_user_199
Path Finder
‎02-27-2014 01:18 PM

I have a geostats map that is powered by this query:

| stats count by src,http_user_agent | iplocation src | geostats sum(count) by http_user_agent

I intentionally wanted to have a global limit of 20, and set that via XML.

My problem is that instead of showing the top 20 values, the map instead sorts alphabetically. I'd like the command to function more like the top command.

Any suggestions?

0 Karma
Reply

briancronrath
Contributor
‎05-15-2017 11:28 PM

Unfortunately a clean option doesn't really exist, really wish we could just specify limit and sorting per the "bins". There is a different option that the above mentioned workaround of naming the field, which is to use a locallimit. You can set globallimit=0 to have no globallimit, but have locallimit=20 so that the top 20 values per "map view area" are displayed. What I mean by this, is that if you zoom in, and start scrolling around, based on all the data showing up on your current map area, you will get the top 20 values for that map area as a whole.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-06-2014 01:04 PM

There is a workaround by creating an intermediary new field with the number followed by the http_user_agent, and it will then be sorted alphabetically, but starting with the count. It will require to use a stats and preserve the lat and lon, then use the sum(count) instead of count.


<mysearch> | iplocation src_ip | stats count values(lon) AS lon values(lat) AS lat by http_user_agent | eval SortingField=count."-".http_user_agent | geostats sum(count) by SortingField

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...