Usage of Splunk commands : GEOSTATS
Usage of Splunk commands : GEOSTATS is as follows :
- Geostats command is used to create a statistics table for the geographic data.
- Shows the statistics data on maps ( Such as : Cluster map )
Find below the skeleton of the usage of the command “geostats” in SPLUNK :
…| geostats [latfield=<string-value>] [longfield=<string-value>] [ outputlatfield=<string-value> ] [ outputlongfied=<string-value>] [<stats-functions> by <field-name>]
There are several arguments with geostats command below we have given important arguments.
- latfield – Existing field name which contains the details of latitude data format for analysis. By default value is lat.
- longfield – Existing field name which contains the details of longitude data format analysis. By default value is lon.
- outputlatfield – To specify the latitude field name for the output fields generated by geostats command . By default value is latitude .
- outputlongfield – To specify the longitude field name for the output fields generated by geostats command . By default value is longitude .
- stats-functions – To specify aggregate functions for statistical analysis ( Such as count, sum, avg etc )
Example 1 :
index=_internal sourcetype=splunkd_ui_access | iplocation clientip | geostats count by City
Result:
Visualization:
Explanation :
In the above query _internal is the index and sourcetype name is splunkd_ui_access . By the iplocation command we have taken the information of clientip from MMDB data base . Here clientip is an existing field name in _internal index. So after using iplocation command we are getting City , Country , Region, lat ,lon for all the values of clientip field. At last we have used to geostats command to get the statics of geographic data . We are getting count of City by the count function with geostats command .
*********************************************************************************
Example 2:
index=_internal sourcetype=splunkd_ui_access | iplocation clientip | rename lon as client_lon, lat as client_lat | geostats count by City latfield=client_lat longfield=client_lon
Result:
Visualization:
Explanation:
In the above query _internal is the index and sourcetype name is splunkd_ui_access . By the iplocation command we have taken the information of clientip from MMDB data base . Here clientip is an existing field name in _internal index. So after using iplocation command we are getting City , Country , Region, lat ,lon for all the values of clientip field. We have renamed lon field as client_lon and lat field as client_lat by rename command. Now in the client_lon field it is containing the longitude value for clientip field and in the client_lat field it is containing the latitude value for clientip field. At last we have used to geostats command to get the statics of geographic data also we have specified latfield= client_lat and longfield= client_lon for getting data . If you don’t specify latfield and longfield argument, by default geostats command takes lat as latfield and lon as longfield. Here you have to specify latfield and longfield because we have renamed lat and lon field. We are getting count of City by the count function with geostats command .
*****************************************************************************
Example 3:
index=_internal sourcetype=splunkd_ui_access | iplocation clientip | rename lon as client_lon, lat as client_lat | geostats count by City latfield=client_lat longfield=client_lon outputlatfield=IP_LAT outputlongfield=IP_LON
Result:
Visualization:
Explanation:
In the above query _internal is the index and sourcetype name is splunkd_ui_access . By the iplocation command we have taken the information of clientip from MMDB data base . Here clientip is an existing field name in _internal index. So after using iplocation command we are getting City , Country , Region, lat ,lon for all the values of clientip field. We have renamed lon field as client_lon and lat field as client_lat by rename command. Now in the client_lon field it is containing the longitude value for clientip field and in the client_lat field it is containing the latitude value for clientip field. At last we have used to geostats command to get the statics of geographic data also we have specified latfield= client_lat and longfield= client_lon for getting data . If you don’t specify latfield and longfield argument, by default geostats command takes lat as latfield and lon as longfield. Here you have to specify latfield and longfield because we have renamed lat and lon field. With the geostats command we have specified outputlatfield=IP_LAT and outputlongfield=IP_LON to get the output latitude field as IP_LAT and longitude field as IP_LON . By default geostats command generates latitude and longitude field as a output fields. We are getting count of City by the count function with geostats command .
Now you can effectively utilize “geostats” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : GEOSTATS
Happy Splunking !!
[…] In the above query _internal is the index and sourcetype name is splunkd_ui_access . By the iplocation command we have taken the information of clientip from MMDB data base . Here clientip is an existing field name in _internal index. So after using iplocation command we are getting City , Country , Region, lat ,lon for the values of clientip field. By the stats command we have taken count by City. At last we have used geom command to view the data in choropleth map . Here geo_countries is the geographic lookup file name. Also we have used featureIdField argument as in the event featureId field is in different name called Country. That’s why we have given featureIdField=”Country” to match the field values. In geom command it shows the origin country of the data and also it is quite similar to the geostats command. […]
[…] in below panel. For more information about geostats command and iplocation command you can visit Usage of Splunk commands : GEOSTATS and Usage of Splunk commands : […]