- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Mapping by Zip code
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mapping by Zip code
When I am trying to map by Zipcode I get the stats table to genereate but when switching to geostats it takes 4 results from the stats table and makes it 39. Seems to be grouping by geobin instead of zip
Any ideas why this is happening?
index="indexA" servco_name="store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| geostats latfield=Lat longfield=Long Sum(Count)
index="IndexA" servco_name="Store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| Stats Sum(Count) by Zipcode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you might just be missing a "BY" clause...
index="indexA" servco_name="store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| geostats latfield=Lat longfield=Long Sum(Count) BY Zipcode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE:
index="indexA" servco_name="store*" servtype_id="CFAIL"
| rename zip_code as Zipcode
| stats Sum(Count) as Count by Zipcode
| lookup zip_code Zipcode OUTPUT Lat Long
| geostats latfield=Lat longfield=Long values(Count) as Count values(Zipcode) as Zipcode
how about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I add that by Zipcode clause I still get more stats than events.
796 events, 344 stats when count by Zipcode but it create 1,427 map points using geostats
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is that wrong?
Do you want to count by each Zipcode?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to see number of events per Zipcode
This is how it show up with the geostats most of the geobins contains multiple zips.
geobin latitude longitude Zipcode
bin_id_zl_0_y_4_x_1 20.50500 -156.95500 96701
96740
bin_id_zl_0_y_5_x_1 35.54629 -108.64629 38637
50322
50613
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you check Zipcode lat and lon are right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this two searches or one? I also see that you're doing a sum of a count? Could you give some sample data and your desired output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is 2 searches The first one gives way extra results when mapping, the 2nd one gives the correct rollup.
I can't give the raw data due to privacy but in the data there is a field called zip_code, I use a lookup to get the lat and long associated with that zip and then want to map the events by zip.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
