iplocation when outputting in command stats

nalia_v · ‎04-15-2021

Hello everyone,
Someone may already be doing the output of grouped events with the definition of location by ip.

How not to lose location data when grouping events ?

In my request spl it is

| search......
|stats count(tunnelid) as sessioncount, values(StartTime) as StartTime, values(tunnelid) as tunnelid, values(tunnelip) as tunnelip, values(remip) as remip, values(vendor_action) as vendor_action by user
| iplocation remip

Of course, when displaying one type, the location IP is displayed.

How to display data on the location of each IP in grouped events ?

richgalloway · ‎04-15-2021

Apparently, the iplocation command can't handle a multi-value field. Try putting iplocation before stats.

| search......
| iplocation remip
| stats count(tunnelid) as sessioncount, values(*) as * by user

---
If this reply helps you, Karma would be appreciated.

iplocation when outputting in command stats

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation

iplocation when outputting in command stats

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!