Re: iplocation not showing country,city when selec...

kapilbk1996 · ‎07-13-2018

I am using the following iplocation query:-

index="filtered_uiauditlogs" | stats count(ip) as "Count" by ip | appendcols [search index="filtered_uiauditlogs" |iplocation ip | table Country,City,ip | dedup ip] |appendcols [search index="filtered_uiauditlogs" | stats avg(response_time) by ip ] | rename ip as "Client Ip" | rename avg(response_time) as "Avg Response Time(ms)"

When I execute this query for the Relative time frame (eg, last 15 min or All time), the following fields are shown as expected(Refer to image).
Client Ip, Count, Avg Response Time(ms), City, Country

But when I change the time frame to real time in time range picker, then it only shows 2 columns - Client Ip and Count only.

Please help me out with the same.

Refer to these screenshots

1 https://drive.google.com/file/d/15DGQdby-51hy1gGW-6AhcLvFbtuyuX9t/view?usp=sharing
2 https://drive.google.com/open?id=1-1RZtehBfSfBuhwmz3qwu49Zr6gDwXuj

MuS · ‎07-15-2018

Hi kapilbk1996,

like @woodcock said, don't do real time when using appendcols because in general, every subsearch finishes before the main search starts. Real-time searches do not finish, hence subsearches cannot be real-time.

Also, you are doing three times the same search ... why not simply do this:

index="filtered_uiauditlogs" 
| stats count values(*) AS * by ip 
| iplocation ip 
| do more SPL fu

Hope this helps ...

cheers, MuS

woodcock · ‎07-15-2018

Don't do realtime. Seriously.

iplocation not showing country,city when selected "Real Time" from time range picker

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor