I have a field [Driver State] which contains all the US states in abbreviated format (MD = Maryland).
I want to generate a choropleth map from the data and currently have the search:
index=traffic sourcetype="csv" | stats count by "Driver State" | geom geo_us_states featureIdField="Driver State"
I cannot figure out how to get Splunk to read the abbreviations, unless it is something more obvious I am doing wrong.
Is there another part of the search I am missing, or do I need to convert all of the abbreviations to their full length names?
Any help is appreciated,
Thanks
... View more