Dashboards & Visualizations

How to convert at geo map to a choropleth map?

bworrellZP
Communicator

I currently use a GEO map, that meets most of my requested outcome, but was asked if we can swap to a choropleth map for better visualization and data.

Using this search, I get the below:

index="Foo" NOT Error="0" | iplocation allfields=true IPAddress |  geostats globallimit=0 count by Error

alt text

Using this search, I get the below.

index="Foo" NOT Error="0"
| iplocation IPAddress
| stats count(Error) by Region
| geom geo_us_states featureIdField=Region

alt text

Somewhere I am missing how to change it to get it to show the number of each error type, when hovering over the state.

Any ideas?

jkat54
SplunkTrust
SplunkTrust

Also, you may be interested in another map viz. called clustered single value map visualization. You get it by clicking on "find more visualizations" in the visualization name drop down... or via the app manager / splunkbase.

alt text

With it I was able to work some magic and get multiple markers for each EventCode in the event logs i have in my main index. In this case i had 4 events with EventCode 1001 which "happened" in new york.

  ... | iplocation src_ip | rename lon AS longitude lat as latitude | stats count(EventCode) as Count by EventCode latitude, longitude | eval description=mvzip(EventCode,Count) |  table latitude longitude description

alt text

0 Karma

bworrellZP
Communicator

Thank you, that did provide interesting visuals, but appears to not be what they wanted created.

0 Karma

jkat54
SplunkTrust
SplunkTrust

what happens if you try list(Error) in your stats command?

0 Karma

bworrellZP
Communicator

If I replace the Count with List, I get each incident of 2020 in a line, for example.

0 Karma

jkat54
SplunkTrust
SplunkTrust

yeah i tested and it didnt work for me either.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...