Usage of Splunk commands : GEOSTATS

Usage of Splunk commands  : GEOSTATS

Usage of Splunk commands : GEOSTATS is as follows :

  • Geostats command is used to create a statistics table for the geographic data.
  • Shows the statistics data on maps ( Such as : Cluster map )

 

Find below the skeleton of the usage of the command “geostats” in SPLUNK :

…| geostats [latfield=<string-value>] [longfield=<string-value>] [ outputlatfield=<string-value> ] [ outputlongfied=<string-value>] [<stats-functions>  by <field-name>]

 

There are several arguments with geostats command below we have given important arguments.

  • latfield – Existing field name which contains the details of latitude data format for analysis. By default value is lat.
  • longfield – Existing field name which contains the details of longitude data format analysis. By default value is lon.
  • outputlatfield – To specify the latitude field name for the output fields generated by geostats command . By default value is latitude .
  • outputlongfield – To specify the longitude field name for the output fields generated by geostats command . By default value is longitude .
  • stats-functions – To specify aggregate functions for statistical analysis ( Such as count, sum, avg etc )

 

Example 1 :

index=_internal sourcetype=splunkd_ui_access
| iplocation clientip
| geostats count by City

Result:

gs1

Visualization:

gs2

Explanation :

In the above query _internal is the index and sourcetype name is splunkd_ui_access . By the iplocation command we have taken the information of clientip from MMDB data base . Here clientip is an existing field name in _internal index. So after using iplocation command we are getting City , Country  , Region,  lat ,lon for all the values of clientip field. At last we have used to geostats command to get the statics of geographic data . We are getting  count of City by the count function with geostats command .

*********************************************************************************

Example 2:

index=_internal sourcetype=splunkd_ui_access
| iplocation clientip
| rename lon as client_lon, lat as client_lat
| geostats count by City latfield=client_lat longfield=client_lon

Result:

gs3

Visualization:

gs4

 

Explanation:

In the above query _internal is the index and sourcetype name is splunkd_ui_access . By the iplocation command we have taken the information of clientip from MMDB data base . Here clientip is an existing field name in _internal index. So after using iplocation command we are getting City , Country  , Region,  lat ,lon for all the values of clientip field. We have renamed lon field as client_lon and  lat field as client_lat by rename command. Now in the client_lon field it is containing the longitude value for clientip field and in the client_lat field it is containing the latitude value for clientip field.  At last we have used to geostats command to get the statics of geographic data also we have specified latfield= client_lat and longfield= client_lon for getting data . If you don’t specify   latfield and longfield argument, by default geostats command takes lat as latfield and lon as longfield. Here you have to specify latfield and longfield because we have renamed lat and lon field.  We are getting  count of City by the count function with geostats command .

*****************************************************************************

Example 3:

index=_internal sourcetype=splunkd_ui_access
| iplocation clientip
| rename lon as client_lon, lat as client_lat
| geostats count by City latfield=client_lat longfield=client_lon
 outputlatfield=IP_LAT outputlongfield=IP_LON

Result:

gs5

Visualization:

gs6

Explanation:

In the above query _internal is the index and sourcetype name is splunkd_ui_access . By the iplocation command we have taken the information of clientip from MMDB data base . Here clientip is an existing field name in _internal index. So after using iplocation command we are getting City , Country  , Region,  lat ,lon for all the values of clientip field. We have renamed lon field as client_lon and  lat field as client_lat by rename command. Now in the client_lon field it is containing the longitude value for clientip field and in the client_lat field it is containing the latitude value for clientip field.  At last we have used to geostats command to get the statics of geographic data also we have specified latfield= client_lat and longfield= client_lon for getting data . If you don’t specify   latfield and longfield argument, by default geostats command takes lat as latfield and lon as longfield. Here you have to specify latfield and longfield because we have renamed lat and lon field. With the geostats command we have specified outputlatfield=IP_LAT and outputlongfield=IP_LON to get the output latitude field as IP_LAT and longitude field as IP_LON . By default geostats command generates latitude and longitude field as a output fields. We are getting  count of City by the count function with geostats command .

 

Now you can effectively utilize “geostats”  command in  your daily use to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk commands  : GEOSTATS

 

Happy Splunking !!

Advertisements

2 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.