How to resolve error in my geostats search "Error ...

raindrop18 · ‎04-19-2017

I have this search and I keep getting "Error in 'geostats' command: The argument 'over' is invalid". How I can replace "over" to get what I am expecting?

index=X source=X host=XX "request from IP *"  | rex "(?i) IP (?P[^ ]+)"   |  rex "(?i) username (?P[^ ]+)"  | iplocation clientIP | geostats latfield=lat longfield=lon | iplocation clientIP | geostats latfield=lat longfield=lon dc(UsrName) over clientIP

gcusello · ‎04-19-2017

Hi raindrop18,
try something like this:

index=X source=X host=XX "request from IP *" 
| rex "(?i) IP (?P[^ ]+)" 
| rex "(?i) username (?P[^ ]+)" 
| iplocation IP
| geostats latfield=lat longfield=lon dc(UsrName) by clientIP

see http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Geostats

Bye.
Giuseppe

raindrop18 · ‎04-19-2017

so this query on regular chart showed me, sorted the client IP has the highest number of username. just added "| sort - dc(UsrName)" at the end. currently on geostats only see the lowest number.

raindrop18 · ‎04-19-2017

thanks much Giuseppe, quick question is that possible to sort the out put on Geostats?

gcusello · ‎04-19-2017

Output should be sorted by clientIp.
What is the field you would use?
Bye.
Giuseppe

How to resolve error in my geostats search "Error in 'geostats' command: The argument 'over' is invalid"?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life