I'm trying to eventually utilize the builtin GEOSTATS map to populate a simple map showing the number of IP addresses that hit my firewall from a specific country over a period of time. Problem is, I cannot get anything to work related to GEOSTATS. Hopefully, I can lay this out in a simple manor..... Datamodel = test Extracted Fields: Client_IP (field within the log that the Originating IP address is extracted) test_IP (field alias points to this field, set as IPv4, is the "IP" field utilized within the GEO IP settings) What works: 1. Datamodel "test": Acceleration is on, status 100% complete, and tstats commands can be used against this datamodel that produce the expected results 2. If I go into datamodel "test", under the GEO IP settings, select "Preview"....It populates with Lat, Long, & Country information 3. | datamodel test search | table Client_IP, test_IP, test_lat, test_lon, test_Country. - this query produces lat, long, and country results. 3. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP test.test_Country - this query produces exactly what I would expect to see....The "test_IP" field with IP addresses, "Unique_IP" field with the count of records per IP address, and "test_Country" showing the country the IP address originates from The Problem: once I add a pipe "|" things stop working. Example: 1. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | table test.test_IP test.test_Country Unique_IP - only shows the "Unique_IP" field and the results of that field and the IP address in the "test.test_IP" field 2. | tstats count AS Unique_IP FROM datamodel="test" BY test.test_IP | geostats latfield=test.lat longfield=lon globallimit=0 - this produces no "Statistics" and no "Visualization" I greatly appreciate your time and thank you for your help with this!!
... View more