Greetings,
Prior to getting a stream of this data next week, I am preparing with some CSV lookups. I have two files right now, the sample data from an access point and a lookup of the AP's name and the lat lon
Client Username,Client IP Address,Client MAC Address,Association Time,Vendor,AP Name,Radio Type,Device Name,Map Location,SSID,Profile,VLAN ID,Protocol,Session Duration,Policy Type,Avg. Session Throughput (Kbps)
,10.x.x.x,z:z:z:z:z:z,Fri Jun 24 17:09:26 PDT 2016,Apple,AP0000-street&avenue0,802.11a/n/ac,SVN-WLC-HDWIFI,System Campus > HDWIFI > HDWIFI-POD4,#cityWiFi,#cityWiFi,254,802.11n(5GHz),5min 12sec,NOTAVAILABLE,<0.1
so that's the data, below is the lookup
AP Name,lat,lon
AP0000-street&avenue0,37.697842, -123.000534
This search yields the right results:
| inputcsv StreetAP |join "AP Name" [|inputcsv StreetAPtable]|rename "AP Name" as apname|stats count by apname lat lon
results:
apname lat lon count
AP0000-street&avenue0 37.697842, -123.000534 221
This search yields all the same lat/lon
| inputcsv MarketAP |join "AP Name" [|inputcsv MarketAPtable]|rename "AP Name" as apname|geostats latfield=lat longfield=lon `count by apname
Where have I gone wrong?
How close are the coordinates together? The geostats command groups the latitudes and longitudes into bins for easy visualization. You may have to edit binspanlat and binspanlong attributes to the geostats command to ensure that multiple location don't get consolidated into one because they are close to each other
This app will be helpful:
https://splunkbase.splunk.com/app/3124/
How close are the coordinates together? The geostats command groups the latitudes and longitudes into bins for easy visualization. You may have to edit binspanlat and binspanlong attributes to the geostats command to ensure that multiple location don't get consolidated into one because they are close to each other
@craigv
I finally had a chance to test this and though I need to change the map, I can see in the table that the lat/lon is changing and thus I think this did the trick
Oh...yeah they are each a small city block (1/10 mi) from each other
Yes so in that case you will want to reduce binspanlat and binspanlong to the extent practicable. i would half each of them until you get something that works. You also might find that the splunk tiles can't zoom in that much. In that case you might have to use an alternate tile server for the maps.