Hi,
I using iplocation followed by geostats to plot my data in map. My query looks like this.
index=index_name | iplocation ip_address | geostats first(item_number) as Item
The query works fine and I get the value and label of the field Item in map marker tool tip.
Now I just try to display the City name along with the field like this
index=index_name | iplocation ip_address | geostats first(City) as City first(item_number) as Item
This search works fine and displays results in search page along with City name. But when used in map it does not display the field City in marker's tool tip.
I even assigned the value in City field to a different field using eval and tried to display that field but it did not work.
I cannot use by City like this
index=index_name | iplocation ip_address | geostats first(item_number) as Item by City
because geostats does not allow aliases if I use group by. I get his error in search page
Error in 'geostats' command: The argument 'Item' is invalid.
Any ideas on how to display City name ? Any help is appreciated.
Thanks
I had a similar situation. I wanted to count by two fields but geostats would not allow that. So I created a new field combining the two fields I needed and did my count by the new field and it worked. Here is part of a sample search.
... | eval CountInfo=DateTime.": ".Location | table DateTime, Location, CountInfo | geostats latfield=lat longfield=lon count by CountInfo
The resulting tooltip included both the date and time info as well as the location. Exactly what I wanted.
This app will be helpful:
https://splunkbase.splunk.com/app/3124/
I'm seeing the same problem as well. I believe the documentation says you should be able to use AS and BY in the same geostats, but it doesn't seem to work.
geostats sum(accepted),sum(denied),sum(unapproved) by app works
geostats sum(accepted) as accepted,sum(denied) as denied,sum(unapproved) as unapproved by app fails
Hi i tried the similar method and was successful in bringing city name to tooltip, but the issue is am getting different colors for different cities i need it to display the color of city based on severity,, the query goes like .."eval sev=case(units>=120,"sev1",units<120 AND units>=50,"sev2",units<25,"sev3") | eval new_field=city.": ".sev | geostats globallimit=0 latfield=latitude longfield=longitude count by new_field
I had a similar situation. I wanted to count by two fields but geostats would not allow that. So I created a new field combining the two fields I needed and did my count by the new field and it worked. Here is part of a sample search.
... | eval CountInfo=DateTime.": ".Location | table DateTime, Location, CountInfo | geostats latfield=lat longfield=lon count by CountInfo
The resulting tooltip included both the date and time info as well as the location. Exactly what I wanted.