Splunk Search

multiple field in geostats

Path Finder

HI,

i am trying to display multiple fields like num1, num2, num 3 in map and trying to gets its lat and long from external csv using join.common field is clli_pk.. how can we display all the values(num 1 , num 2...)

| rex maxmatch=15 field=tracesnew "(?[0-9]+)\s|(?.*?)\s|((?[0-9]+.[0-9]+.[0-9]+.[0-9]+))\s|(?[0-9]+.[0-9]+)"
| table DestNodeName SiteId Ave hopnum nodename hopip hoplatency time HopNo LAT LON
| eval Check=if((mvcount(hop
num)=HopNo),0,1)
| search Check=0
| eval hop1node=trim(mvindex(nodename,0))
| eval hop2node=trim(mvindex(node
name,1))
| eval hop3node=trim(mvindex(nodename,2))
| eval hop4node=trim(mvindex(node
name,3))
| eval cllipk=substr(hop4node,1,8)
| stats avg(Ave) AS Ave by hop4node clli
pk
| join type=left cllipk [| from inputlookup:"CLLIAddress.csv" | table clli_pk latitude longitude ]

| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18

0 Karma

SplunkTrust
SplunkTrust

Instead of | join type=left clli_pk [| from inputlookup:"CLLI_Address.csv" | table clli_pk latitude longitude ] use | lookup CLLI_Address.csv clli_pk OUTPUT latitude longitude

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

here i am able to get the field value , but my query is
"| eval clli_pk=substr(hop4node,1,8)*
| stats avg(Ave) AS Ave by hop1node hop2node hop3node hop4node hop5node hop6node hop7node hop8node hop9node cllipk
| join type=left clli
pk [| from inputlookup:"CLLIAddress.csv" | table cllipk latitude longitude ]
| geostats median(Ave) by hop4node latfield=latitude longfield=longitude globallimit=0 binspanlat=1 binspanlong=1 maxzoomlevel=18
here for only one field that is hop4Node is displayed, how can i display all the fields ie.. hop1node,hop2node,hop3node in map.........

0 Karma

SplunkTrust
SplunkTrust

I'm not sure you can do that, but perhaps someone else will have an idea. The geostats command accepts a single field in the by clause so you can do as you did in stats. You could try combining all the fields into a single field using | eval hops="" | foreach hop*Node [eval hops=hops."|".<<FIELD>>] | geostats median(Ave) by hops..., but that will give you stats for every combination of hop nodes.

---
If this reply helps you, an upvote would be appreciated.
0 Karma