How to categorize count results by country

parwindertaank · ‎04-24-2018

I have the following code from a web log, which gives me a table of the Time (by minute) the total for that minute, and the prediction and residual values.

I want to separate this by country, not just time.
ie, for each country and their times, what are the count values etc.

How can I update my code, which doesnt split the total and time by country?

index=* sourcetype ="access_combined" clientip=* 
  | iplocation clientip
  | bin _time span=1m 
  | stats count AS perMin by _time, Country
  | timechart span=1m sum(perMin) AS Total
  | predict Total as prediction algorithm=LLP future_timespan=5 holdback=0 
  | where prediction!="" AND Total!="" 
  | eval residual = prediction - Total

TISKAR · ‎04-24-2018

Can you try this:

 index=* sourcetype ="access_combined" clientip=* 
       | iplocation clientip
       | bin _time span=1m 
       | stats count AS perMin by _time, Country
       | bin _time span=1m 
       | stats sum(perMin) AS Total by _time Country
       | predict Total as prediction algorithm=LLP future_timespan=5 holdback=0 
       | where prediction!="" AND Total!="" 
   | eval residual = prediction - Total

parwindertaank · ‎04-25-2018

This works in splitting the results by Country!

Im not sure however if the prediction for the Total is accurate anymore, because the values I get for each country by minute are way off from the actual values.

How can I modify my predict command on Total use only the values for each country by minute for the prediction?

How to categorize count results by country

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!