Splunk Search

How to disable location clustering of results on a map generated by the geostats command in Splunk 6.1?

jasongori
Explorer

I have a geostats map in version 6.1 and I want to force it to NOT use clustering. I want to see an indicator for each of my locations and not have them grouped. Has anyone accomplished this or do you know how it can be done? Thank you.

Tags (3)
1 Solution

jcrabb_splunk
Splunk Employee
Splunk Employee

I would recommend trying the optional geostats argument maxzoomlevel :

As an example: index=example | geostats maxzoomlevel=15 count by host .

Jacob
Sr. Technical Support Engineer

View solution in original post

woodcock
Esteemed Legend

The accepted answer only fences the zoom, the way to do what was actually asked is like this:

... | geostats binspanlat=1 binspanlong=1 ....

mcg_connor
Path Finder

Thanks this works better for me than the previous answer!

woodcock
Esteemed Legend

You might consider switching the Accepted answer so that other people will get the best answer.

0 Karma

Venkat_16
Contributor

The temporary solution was to reduce the cluster size so that the clusters don't merge and also fixing the minimum and maximum zoom levels. I have limited locations on the map so i used the temporary solution. Below are the options which i played around.

  option name="charting.chart.bubbleMaximumSize" 50 /option
    option name="charting.chart.bubbleMinimumSize" 10 /option
0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

I would recommend trying the optional geostats argument maxzoomlevel :

As an example: index=example | geostats maxzoomlevel=15 count by host .

Jacob
Sr. Technical Support Engineer

woodcock
Esteemed Legend

See my unaccepted answer below for the correct setting to use for this.

eddieyugo
New Member

Thank you!! This works perfectly now 🙂

0 Karma

slr
Communicator

THANK YOU.

I read before the maxzoomlevel argument, but I never used it because I understood that was like the tile > maxzoomlevel option of the GUI. I tried right now, and it worked.

For me, this is the answer that I wanted.

Thank you again.

0 Karma

Venkat_16
Contributor

You can avoid clustering by increasing the maximum number of clusters, below I have given maximum clusters as 999. You can increase the values further if you want. keep increasing the maximum cluster values until you get satisfactory result.But splunk recommends us to keep the value as "100" for maximum performance.

option name="mapping.data.maxClusters">900

slr
Communicator

I guess that the "problem" is relative to the maximum zoom level used by geostats. The levels are between 0 and 9. If I use opestreetmaps I get more zoom levels, but geostats represent the data always with the basic zoom levels (0-9). If geostats choose that in level 9 two or more locations will be together, I can't say "don't do it" even if I use the option name="mapping.data.maxClusters" in xml.

Well... any suggestions, please?

Regards.

0 Karma

jreynolds20
Engager

I am running into this same problem, in that I am trying to plot points on a map, but even though OpenStreetMaps allows me to zoom down to the building level, my points plotted over the span of a few blocks always wind up being aggregated together. Any ideas on how to fix this?

slr
Communicator

Hi there.

I have the same problem, but in 6.2.3. I tried the mapping.data.maxCluesters option, but I don't get any difference. I read the docs, but I don't find answers. Any suggestions?

Regards.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...