I'm trying to make a cluster map in Splunk by their IP address.
I grouped the IP by id number, and I want to only show the cluster which each an ID has more than 3 IP addressess.
I have the following code:
index="xxx" id != "-" | iplocation ip | geostats dc(ip) by id
And I tried to make a variable name for dc(ip) (like dc(ip) as ipCount) so that I can use it in the where clause (where ipCount > 3), but unfortunately geostats doesn't allow me to rename.
Does anybody know how or where to add a where clause or is there another way of making the map?
Thank you
without testing, maybe something along those lines:
index="xxx" id != "-"
| eventstats dc(ip) as unique_ips by id
| where unique_ips > 3
| iplocation ip | geostats max(unique_ips) by id
hope it helps
without testing, maybe something along those lines:
index="xxx" id != "-"
| eventstats dc(ip) as unique_ips by id
| where unique_ips > 3
| iplocation ip | geostats max(unique_ips) by id
hope it helps