A display function that groups result events according to the extracted elements of the IP address in one or more of its geoip columns,.
geoip ([IP_Column_Name]) group by [country,country code,city,region]
IP_column_name
Syntax: <character string>
Description: The name of the column header that has IP address values
country, country code, city, and/or region
Description: The extracted part of the IP address according to which to group the results.
None
For each event that has the specified IP_address_column_name with an IP address value, extracts the country name, country code, city, and/or region from the IP address, using an internal database, and then shows the result of performing a specific function on the search result events, according to the country name, country code, city, and/or region, as required.
Example 1:
* in log.access | count | geoip client ip group by country,city | order by count desc
Creates a summary table of the count of all events in log access, grouped according to the country and the city within the country, both extracted from the IP address in the client ip column. This table is ordered in descending order of the number of events in each city group.