All Apps and Add-ons

How do I show the number of events per city in Geostats visualization, not relating to IP addresses?

colinmchugo
Explorer

Hi Splunk Gurus,

If I have city, department and office location in my data set. How do I show the number of events per city? I also want to be able to show a breakdown per department and finally show a breakdown of per office location.

So I want to a map visualization of the world and it shows X amount of events in two categories. Let's call it category A & category B so I can see for example that in New York there are 100 Category A events and 10 Category B events for that city. I also want to be able (maybe a new map) to show the breakdown of category a and b per department per city or department per state.

Thanks really appreciate this.

0 Karma
1 Solution

DavidHourani
Super Champion

Hi colin,

If you want to split by category and then by department then you need three maps, or you can do that with a single map and a tweaked dashboard input. The search for your global per category map should be something like this :

yoursearchhere |  geostats latfield=LatitudeFieldFromSearch longfield=LongitudeFieldFromSearch count by category

The map per department for cat A should be like this :

yoursearchhere |search category=A |  geostats latfield=LatitudeFieldFromSearch longfield=LongitudeFieldFromSearch count by department

The map per department for cat B should be like this :

yoursearchhere |search category=B |  geostats latfield=LatitudeFieldFromSearch longfield=LongitudeFieldFromSearch count by department

More info on the geostats command here :
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Geostats

If you are using choropleth you will only be able to have a map colored based on a global count and not by category.
More info here :
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/ChoroplethGenerate

Regards,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi colin,

If you want to split by category and then by department then you need three maps, or you can do that with a single map and a tweaked dashboard input. The search for your global per category map should be something like this :

yoursearchhere |  geostats latfield=LatitudeFieldFromSearch longfield=LongitudeFieldFromSearch count by category

The map per department for cat A should be like this :

yoursearchhere |search category=A |  geostats latfield=LatitudeFieldFromSearch longfield=LongitudeFieldFromSearch count by department

The map per department for cat B should be like this :

yoursearchhere |search category=B |  geostats latfield=LatitudeFieldFromSearch longfield=LongitudeFieldFromSearch count by department

More info on the geostats command here :
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Geostats

If you are using choropleth you will only be able to have a map colored based on a global count and not by category.
More info here :
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/ChoroplethGenerate

Regards,
David

0 Karma

colinmchugo
Explorer

Got it working it was a misspelling thanks

DavidHourani
Super Champion

Great! Please accept answer if it helped 😉

0 Karma

colinmchugo
Explorer

Thanks David but that's not working for me, unfortunately. So I've got the following

source="X.csv" host="Y" index="main" sourcetype="xx.csv" 
| lookup officegeo2018.csv "Office Code" as "Office Location" 
| table Created Category Username Hostname Hostname "Office Location" Dept Country City Office Lattitude Longitude

The geostats with what you said does not work just shows nothing even though there is data there.
Thanks again.

0 Karma

DavidHourani
Super Champion

Can you share a line of data from the query you sent ? --- make sure u mask any sensitive info

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...