Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom cluster map complex issue: Why is join command not giving results wanted?

jip31
Motivator
‎03-08-2022 08:35 AM

hi

I use the search below in order to display markers on a map

As you can see, I use a join command in order to cross events by site between the lookup and the search

 

index=toto sourcetype=tutu
| stats count as PbPerf by site sam 
| search PbPerf > 10 
| stats dc(sam) as nbsam by site 
| where isnotnull(site) 
| join type=left site 
    [| inputlookup BpLtLg.csv 
    | rename siteName as site 
    | fields site latitude longitude ] 
| table site nbsam latitude longitude
| geostats latfield=latitude longfield=longitude globallimit=0 count(nbsam)

 

But the problem is that I have a difference between the marker displayed on the map and the reality

For example, If I do a focus on a specific site like MONTE CARLO, I have 10 events

jip31_2-1646757291577.png

But on the map, I just have 2 markers in this area with a count equal to 6 instead 10 even if I play with the zoom

jip31_1-1646757133569.png

so i understand nothing

Is it possible that this issue comes from the joind command?

If yes, is there another solution to improve my search?

thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-08-2022 11:19 PM

Does this work for you?

| geostats latfield=latitude longfield=longitude globallimit=0 sum(nbsam)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-08-2022 10:45 AM

Rather than join + inputlookup, try lookup

index=toto sourcetype=tutu
| stats count as PbPerf by site sam 
| search PbPerf > 10 
| stats dc(sam) as nbsam by site 
| where isnotnull(site) 
| lookup BpLtLg.csv siteName AS site OUTPUT latitude longitude 
| table site nbsam latitude longitude
| geostats latfield=latitude longfield=longitude globallimit=0 count(nbsam)
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-08-2022 09:27 PM

perfect it's better without join!

but I have the same issue

I f I have a look for a specificic site like MONTE CARLO, you cans see that I found 11 events

jip31_0-1646803402639.png

so why in this area I found only 2 markers correso

ponding to 6 events instead 12?

jip31_1-1646803522546.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-08-2022 11:19 PM

Does this work for you?

| geostats latfield=latitude longfield=longitude globallimit=0 sum(nbsam)
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-08-2022 11:24 PM

it's better now, you are the best!

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...