Splunk Search

geostat is taking only one value from the lookup table

gwtm_hak
Engager

I'm trying to show the count of the number of hosts in an area using a cluster map.
I have added a lookup CSV file with the hostname, city belonging, lat, and long
But when I try the below query

index="*" | lookup host_loc.csv host| geostats  latfield="latitude" longfield="longitude" count by city

I get the output as
alt text

in visualization, it takes only one host linked to city Maynard and displays the details on the map
alt text

host,city,latitude,longitude
node0-zanzibar,Dallas,32.78306, -96.80667
node1-zanzibar,Cupertino,37.3229978, -122.0321823
9279ad97-ccd3-4f22-a10b-e6bec987af5f,Sacramento,42.4334269,-71.449507
a4109611-98b7-422e-a4aa-e8c8ab299b11,Maynard,38.58157, -121.4944

Is geostat linked to my IP? even though I change the city Maynard with the different hostname it is taking the count of that hostname only
It's weird can anyone explain why this is happening?

0 Karma

mayurr98
Super Champion

try :

index="*" 
    [| inputlookup host_loc.csv 
    | table host ] 
| geostats latfield="latitude" longfield="longitude" count by city
0 Karma

gwtm_hak
Engager

no, it is not working
even the count is also not showing

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...