Is it possible to show country names instead of la...

HattrickNZ · ‎08-16-2015

In the pic below, is there a way that you can display the country name in the pop up instead of the lat and long values?

EDIT1 trying to answer woodcocks comment below

The stats that feed the above pic look as follows: (it is taken from Splunk 6.x Dashboard Examples)

geobin  latitude    longitude   GET POST
bin_id_zl_0_y_3_x_2 -10.00000   -55.00000   8   6
bin_id_zl_0_y_4_x_1 19.43420    -99.13860   5   2
bin_id_zl_0_y_4_x_2 11.37778    -73.14076   12  6
bin_id_zl_0_y_4_x_5 16.67630    77.27630    12  7

The stats that feed the map I am working on looks like this: (but i get the same view with lat and long on the popup as above)

latitude    longitude   NumberofRegisteredSubscribers   ks_countryname
-25.274398  133.775136  1442    Australia
37.09024    -95.712891  662 United States

Similar questions here
http://answers.splunk.com/answers/129281/map-geostats-display-city-instead-of-latitude-and-longitude...
https://answers.splunk.com/answers/302088/splunk-625-label-the-maps-popup.html

mporath_splunk · ‎09-28-2015

Splunk 6.3 introduced Choropleth Maps as a new visualization type. iplocation adds a Country field, which you can use to show a metric on a Choropleth map. If you can't use iplocation, you can resolve a latitude/longitude combination to find out which country the coordinate is located in. The tooltip then shows the country name when you hover over it.

For your data the search would look something like this:

IPs exist to use with iplocation

...
| iplocation clientip
| stats count as NumberofRegisteredSubscribers by Region
| geom geo_countries featureIdField=Region

No IPs to use with iplocation

...
| lookup geo_countries latitude longitude OUTPUT featureId AS ks_countryname
| stats count as NumberofRegisteredSubscribers by ks_countryname
| geom geo_countries featureIdField=ks_countryname

You can find more information on Choropleth Maps and Geospatial Indexes in the Splunk Docs for 6.3.

woodcock · ‎08-30-2015

Here are 2 options, assuming GET and POST are in a field called http_req:

... | eval http_req = country . "-" . http_req | geostats latfield=Latitude longfield=Longitude count by http_req

... | append [|inputlookup countries_lat_long_int_code.csv| eval http_req = country ] | geostats latfield=Latitude longfield=Longitude count by http_req

MuS · ‎08-30-2015

Hi HattrickNZ,

you can concatenate the strings used in the by clause of geostats. I used something like this in a private app, showing new moon dates for places on the map:

| eval dates=NewMoon_starts." - ".NewMoon_ends 
| other splunk foo
| geostats latfield=Latitude longfield=Longitude count by dates

and it shows like this:

Hope this helps ...

cheers, MuS

woodcock · ‎08-17-2015

You need to tell us what is generating the latitude and longitude values. Usually this system/DB/lookup is the one that maps to country. Are you using iplocation or something else?

HattrickNZ · ‎08-30-2015

the lat and long values are in a lookup that looks like the following:

| inputlookup countries_lat_long_int_code.csv

code    country latitude    longitude   name
376 AD  42.546245   1.601554    Andorra
971 AE  23.424076   53.847818   United Arab Emirates
93  AF  33.93911    67.709953   Afghanistan
355 AL  41.153332   20.168331   Albania
374 AM  40.069099   45.038189   Armenia

Based on this how would I achieve my original question

Is it possible to show country names instead of latitude and longitude values in the pop-ups on Splunk maps?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life