Splunk Search

multiple field in geostats

vikashperiwal
Path Finder

HI,

i am trying to display multiple fields like num1, num2, num 3 in map and trying to gets its lat and long from external csv using join.common field is clli_pk.. how can we display all the values(num 1 , num 2...)

| rex max_match=15 field=traces_new "(?[0-9]+)\s|(?.*?)\s|((?[0-9]+.[0-9]+.[0-9]+.[0-9]+))\s|(?[0-9]+.[0-9]+)"
| table DestNodeName SiteId Ave hop_num node_name hop_ip hop_latency _time HopNo LAT LON
| eval Check=if((mvcount(hop_num)=HopNo),0,1)
| search Check=0
| eval hop1node=trim(mvindex(node_name,0))
| eval hop2node=trim(mvindex(node_name,1))
| eval hop3node=trim(mvindex(node_name,2))
| eval hop4node=trim(mvindex(node_name,3))
| eval clli_pk=substr(hop4node,1,8)
| stats avg(Ave) AS Ave by hop4node clli_pk
| join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ]

| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Instead of | join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ] use | lookup CLLI_Address.csv clli_pk OUTPUT latitude longitude

---
If this reply helps you, Karma would be appreciated.
0 Karma

vikashperiwal
Path Finder

here i am able to get the field value , but my query is
"| eval clli_pk=substr(hop4node,1,8)*
| stats avg(Ave) AS Ave by hop1node hop2node hop3node hop4node hop5node hop6node hop7node hop8node hop9node clli_pk
| join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ]
| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18
here for only one field that is hop4Node is displayed, how can i display all the fields ie.. hop1node,hop2node,hop3node in map.........

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure you can do that, but perhaps someone else will have an idea. The geostats command accepts a single field in the by clause so you can do as you did in stats. You could try combining all the fields into a single field using | eval hops="" | foreach hop*Node [eval hops=hops."|".<<FIELD>>] | geostats median(Ave) by hops..., but that will give you stats for every combination of hop nodes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...