Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup based range of latitude and longitude

Shisa
Explorer
‎02-02-2017 10:32 PM

Hi
I'm looking for a sample search that calculates count of events which match within 500m radius of lat/long on lookup table.

Sample events:
2017/02/02 10:00:01 event_id="1" latitude="34.49293" longitude="132.399270"

Lookup sample "MASTER" for location (CSV):
shop,address,latitude,longitude
AAA,563 2nd St,34.492109,132.399582
BBB,201 3rd St,34.395424,132.488734

Expected output table:
shop,address,latitude,longitude,event match count
AAA,563 2nd St,34.492109,132.399582,1
BBB,201 3rd St,34.395424,132.488734,0

I tried and could create the following search that find events within 500m radius of lat/long on lookup table.

sourcetype=hoge [| inputlookup MASTER.csv | eval w_lng = longitude - (500 / 30.8184*0.000277778) | eval w_lat = latitude - (500 / 25.2450*0.000277778) | eval e_lng = longitude + (500 / 30.8184*0.000277778) | eval e_lat = latitude + (500 / 25.2450*0.000277778) | table shop_name address longitude latitude w_lng w_lat e_lng e_lat | eval search = "(longitude >= " . w_lng ." AND latitude >= " . w_lat . ") AND (longitude <= " . e_lng ." AND latitude <= " . e_lat . ")" | fields search]

But I'm not sure how to create the expected output table.

Any sample search would be really appreciated..

0 Karma
Reply

DalJeanis
Legend
‎02-03-2017 11:27 AM

How dense is the data? That is, are the events likely to be within 500 miles of a high percentage of the locations, or just a few of them?

How many locations are on your lookup table? Presumably, the list of locations is much smaller than the list of event locations.

So, one possible solution would be to think in terms of "regions". Let's say that your latitude and longitude for the event, for lookup purposes, will be rounded to the nearest 1 degree, or 3 degree, or 5 degree point.

At the 5-degree level, latitude="34.49293" and longitude="132.399270" would go to lookupLatLong="35,130"

Now, on your lookup location table, you create a multivalue field for each location that has all the lookupLatLong values that might have a point within 500 miles of the location.

This way, a single lookup returns all candidate locations that MIGHT be within 500 miles. Then you use an accurate calculation to estimate the distance more closely, for example the spherical law of cosines -

=ACOS( SIN(lat1)*SIN(lat2) + COS(lat1)*COS(lat2)*COS(lon2-lon1) ) * 3962

0 Karma
Reply

Shisa
Explorer
‎02-07-2017 01:31 AM

Sorry for misleading sentence. I mean that 500m is 500 meters (0.3 miles)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...