Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multiple field in geostats

vikashperiwal
Path Finder
‎12-15-2018 01:24 AM

HI,

i am trying to display multiple fields like num1, num2, num 3 in map and trying to gets its lat and long from external csv using join.common field is clli_pk.. how can we display all the values(num 1 , num 2...)

| rex max_match=15 field=traces_new "(?[0-9]+)\s|(?.*?)\s|((?[0-9]+.[0-9]+.[0-9]+.[0-9]+))\s|(?[0-9]+.[0-9]+)"
| table DestNodeName SiteId Ave hop_num node_name hop_ip hop_latency _time HopNo LAT LON
| eval Check=if((mvcount(hop_num)=HopNo),0,1)
| search Check=0
| eval hop1node=trim(mvindex(node_name,0))
| eval hop2node=trim(mvindex(node_name,1))
| eval hop3node=trim(mvindex(node_name,2))
| eval hop4node=trim(mvindex(node_name,3))
| eval clli_pk=substr(hop4node,1,8)
| stats avg(Ave) AS Ave by hop4node clli_pk
| join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ]

| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2018 10:00 AM

Instead of | join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ] use | lookup CLLI_Address.csv clli_pk OUTPUT latitude longitude

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vikashperiwal
Path Finder
‎12-16-2018 10:35 AM

here i am able to get the field value , but my query is
"| eval clli_pk=substr(hop4node,1,8)*
| stats avg(Ave) AS Ave by hop1node hop2node hop3node hop4node hop5node hop6node hop7node hop8node hop9node clli_pk
| join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ]
| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18
here for only one field that is hop4Node is displayed, how can i display all the fields ie.. hop1node,hop2node,hop3node in map.........

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-17-2018 05:41 AM

I'm not sure you can do that, but perhaps someone else will have an idea. The geostats command accepts a single field in the by clause so you can do as you did in stats. You could try combining all the fields into a single field using | eval hops="" | foreach hop*Node [eval hops=hops."|".<<FIELD>>] | geostats median(Ave) by hops..., but that will give you stats for every combination of hop nodes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...