Welcome

Welcome to Splunk Answers! Not what you were looking for? Refine your search.

Hello,

I'm having an issue with geostat visualization for one of my splunk searches. I have a large lookup file that simply stores a list of devices and corresponding longitude/latitude coordinates. When I say large I mean about 150 MBs and a bit over 2 million lines.

The lookup file has only 3 fields in it: model, lat, and lon

This is my Splunk search:

|inputlookup geosource.csv

|geostats latfield=lat longfield=long count by model

The search returns results but only for the most populous model rather than all the models.

when I run the regular stats command instead I get the expected results

|inputlookup geosource.csv

|stats count by model

Outputs 15 values

If I limit the event count to 1,000,000 using the following search I also get the expected output

|inputlookup geosource.csv

|sort 1000000 lat

|geostats latfield=lat longfield=long count by model

I'm looking for a way to visualize the full list. Thanks in advance for any help.

Comment

@StephenQuinn, can you try whether the following query works?

First try without geostats to see how many records are returned. If it works then add `geostats`

and check

```
| inputlookup geosource.csv
| stats count(model) as Total by lat long
| geostats sum(Total) latfield=lat longfield=long
```

Also see if the following query is working fine to give total events present in lookup file.

```
| inputlookup geosource.csv
|stats count
```

I ran the searches as you suggested.

| inputlookup geosource.csv

| stats count

returns a count of 2.3 million

| inputlookup geosource.csv

| stats count(model) as Total by lat long

returns 7,816 statistics

| inputlookup geosource.csv

| stats count(model) as Total by lat long

| geostats sum(Total) latfield=lat longfield=long

returns 11,301 statistics

| inputlookup geosource.csv

| stats count(model) as Total by lat long

| geostats sum(Total) latfield=lat longfield=long

returns the same results as | inputlookup geosource.csv |stats count

Can you re-run the second query to get the sum of all Totals and confirm the same?

```
| inputlookup geosource.csv
| stats count(model) as Total by lat long
| addcoltotals col=t row=f
| reverse
```

| inputlookup geosource.csv

| stats count(model) as Total by lat long

| addcoltotals col=t row=f

| reverse

returns 7817 results so it's off by 1

@StephenQuinn not the result count, the addcoltotals command does a total of a column which is numeric. I wanted you to check the cumulative sum of all Total for the 7817 rows. Through reverse command it should be the first row.

Oh I see what you mean, that explains the extra row. The Total for the first row after running your suggested search is 2.3M, so it's the same as | inputlookup geosource.csv | stats count

Great that means your query is working fine. Now if you plug in the geostats command and you get 7816 rows then you are good :) Hope this helps.

```
| inputlookup geosource.csv
| stats count(model) as Total by lat long
| geostats sum(Total) latfield=lat longfield=long
```

I was wondering how it was possible that the geostats command resulted in an increase in the number of rows...

Hi,

To remove the increase in your results you will need to set the maxzoomlevel to 0

maxzoomlevel=0

Hope this can help.

tnx

I've been curious about that as well but it appears to be caused by the lat/long binning in the geostats command.

| stats count(model) as Total by lat long

| stats sum(Total)

returns the total number of lines in my csv file

| stats count(model) as Total by lat long

| geostats sum(Total) latfield=lat longfield=long

whereas this returns the number of bins

Similarly if I just count by lat, I get 93 results with the standard stats command where everything is grouped by lat points from my file |stats count by lat

and I get 773 results with the geostats command where everything is grouped by splunk geobins.

|geostats latfield=lat,longfield=long count by lat

Use this widget to see the actions stream for the question.

Get actions

**Tags:**

splunk-enterprisegeostatslimits

**Asked:** Oct 30, 2017 at 12:07 PM

**Seen:** 254 times

**Last updated:** Jan 3, '18

Get actions

splunk-enterprisegeostatslimits

How to calculate limits for agents based on their activity?

1
Answer

Why is geostats not showing data for all expected countries when the search finishes?

1
Answer

Why is geostats not working when used in a base search?

0
Answers

Is it possible to change the colors on a geostats based on values from another panel/search?

0
Answers

Copyright © 2005-2018 Splunk Inc. All rights reserved.

- Anonymous
- Sign in
- Create
- Ask a question
- Upload an App
- Explore
- Tags
- Answers
- Apps
- Users
- Badges

20 ● 2