Splunk Search

What are OTHER and VALUE data generated by doing a geostats count by Region on Splunk maps?

halkelley
Path Finder

I'm doing a geostats count by Region (after doing an iplocation on my customer's ip):
1) if data is put into "OTHER", how does it still appear in a place on the map?
2) when zoomed out, the map pie chart count indicators don't include all the "OTHER" data that shows up when you zoom in (or maybe the "OTHER" is being distributed elsewhere?)
3) geostats is also giving a column called "VALUE" - what is that?

Tags (2)
0 Karma

marcoscala
Builder

hi!
To get rid of "VALUE", you can use an eval like this:
...| iplocation .... | eval Region=if(Region=="", "NA", City) | geostats ....

Marco

0 Karma

f_luciani
Path Finder

Hi,

OTHER values show up due to global limits for geostats command. You can get rid of it setting globallimit=0. Then it will show up all values found.

This, on queue, brings us to question 1, and the answer is likely to be the data that appears as OTHER in the maps is related to the country it appears in (if you zoom in enough) but cannot be shown due to the aforementioned limits. Once you set it to 0, it will pinpoint all data which has latitude and longitude values associated to it (or at least will try, poor thing). Notice it always shows up around the geographical center of the country map it belongs (or is supposed to belong) to, because it is treated as a generic value for a given country. If you zoom inside a country, no border rule applies, so it will show up in the center of the screen (or any other center it thinks is proper for display). Anyway, OTHER is a generic value and, although it is a list of valid latitude and longitude values, you must disable the limits in order to have it spread over the map with names and addresses.

Regarding question 2, yes, it sometimes slips in and out of the borders, and it is not due to any inaccuracy but the sole fact that, sometimes, there is not enough place on screen or the opposite, the screen is huge or you zoomed out far enough for it to get spread over in a proper fashion and more accurately pinpointed. Or the other way around, can't check right now, but you got the point, right?

As for question 3, not all results bring along the latitude and longitude values associated to it, only the country values. Thus, the only thing sensible left to be done is to put it (like OTHER values) in the geographical center of the country (or the center of your screen, given the amount of zoom you treated it to). Really annoying, I've been trying to get rid of these VALUE labels to no avail, mainly because they make my maps look dreadfully untidy. No luck so far.

My 2 cents. Or not. Who knows?

halkelley
Path Finder

good input - thanks

0 Karma

jsven7
Communicator

@halkelley mark as answer pls.

0 Karma

halkelley
Path Finder

what I observe re #1 is most of the data points identified as OTHER map to the center of the 48 states (lat/lon 38.00000/-97.00000)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...