Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the drilldown not working my Splunk cluster map visualization?

evinasco
Communicator
‎03-27-2018 11:04 AM

Good Afternoon,

i am working with geostats command using filter "by", i want to execute a drilldown, i have two pie charts with different coordinates, each pie chart is determined by the filter (geostats lat lon count by option). The map with geostats is a chart table originally and each option is a title. When i want to choose an option clicking value, the drilldown always chooses the first option of the table, never allows to choose other option, although that did click in other option.

I need to choose yellow one, but if i click on this option, it always selects the green one

alt text

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2018 09:57 AM

@evinasco, If you create the drilldown based on $click.name$ and $click.value$ in map with multiple splits for same location, it will fetch only the first split field value ( refer to Splunk documentation on map drilldown tokens)

This is a limitation of map drilldown, so you would need to report an enhancement to Map visualization drilldown if you have valid Splunk entitlement.

Meanwhile, please refer to one of the workaround for drilldown using JavaScript in Cluster Map with multiple splits that I had provided a little while back. Since field names can not be extracted from the Map chart element (HTML DOM), I had created a color based drilldown where charting.fieldColors was used to color specific split fields. If you have handful of split fields you can extend the concept explained in the answer which actually caters to only two fields:

https://answers.splunk.com/answers/613088/how-to-redirect-to-two-urls-from-a-cluster-map.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-28-2018 09:57 AM

@evinasco, If you create the drilldown based on $click.name$ and $click.value$ in map with multiple splits for same location, it will fetch only the first split field value ( refer to Splunk documentation on map drilldown tokens)

This is a limitation of map drilldown, so you would need to report an enhancement to Map visualization drilldown if you have valid Splunk entitlement.

Meanwhile, please refer to one of the workaround for drilldown using JavaScript in Cluster Map with multiple splits that I had provided a little while back. Since field names can not be extracted from the Map chart element (HTML DOM), I had created a color based drilldown where charting.fieldColors was used to color specific split fields. If you have handful of split fields you can extend the concept explained in the answer which actually caters to only two fields:

https://answers.splunk.com/answers/613088/how-to-redirect-to-two-urls-from-a-cluster-map.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

evinasco
Communicator
‎03-28-2018 01:24 PM

hi i was looking out your post link and i have handful of split fields where i do not know which one could be, today can be ones and tomorrow others, then i can not specifically refer to some fields.

When you say "if you have Splunk Entitlement, you should request an enhancement to Clustered Map Visualization", what do you mean by that? or how can i requets that?

regards

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-28-2018 10:03 PM

If you have opted for Splunk Support along with Splunk Enterprise License you should have a entitlement # through which you can request an enhancement.

While the above approach does not need Fields to be in same sequence, it does however, require all the fields to be present. So dummy 0 count for missing fields would need to be added. Possibly by appendcols command or even before (directly in stats command) iplocation/geostats are used to fill in location details and geo coordinates.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

evinasco
Communicator
‎03-30-2018 10:52 AM

Hi

thanks for your help,

what specifically i should say to Splunk Support, is the entitlement # like a support case number?, should I say that I requiere an enhancement for Cluster Map Visualization like a new version of Cluster Map Visualization APP?

Regards

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-30-2018 08:03 PM

Entitlement allows you to open support cases. If you have done that in the past. Report to them the issue that you are facing with the limitation of Cluster Map visualization in Splunk. Refer them to this question on Splunk Answers for details. Let them reach out to you with whether there is a workaround or not. If not still they will inform you whether Splunk team will proceed with enhancement or not.

Once you get either a workaround or an enhancement ticket number, you can update the same here for reference and when your issue is resolved accept the same as answer.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

evinasco
Communicator
‎04-03-2018 06:55 AM

Hi

I decided to use Clustering Single Map while, I request an enhancement request to Splunk, I want to thnak you for your help.

Reply
Solved! Jump to solution

niketn
Legend
‎04-03-2018 08:12 AM

@evinasco, Once you have Request Number you can update the same here for future reference and updates. All the best 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

evinasco
Communicator
‎03-28-2018 05:45 AM

alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-27-2018 05:33 PM

@evinasco, how many splits can you have through the by clause in geostats? Would it be just 2 for example TMK1 as one of the two values? Can the two options be displayed as Single Pie with two Slices? Is the Zoom on map fixed or users can zoom out/zoom in?

Would it be possible for you to share the code you are using?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

evinasco
Communicator
‎03-28-2018 05:50 AM

@niketnilay thanks for you comment, in this moment i have two splits with different coordinates, but i could have several splits in differents coordinates or in the same coordinates, with respect to zoom, the users can do that with double click over the zone or with zoom out and zoom in.

code

<panel>
  <map>
    <search>
      <query>index=example sourcetype=sexample 
                   | lookup devices Nodo AS Nodo OUTPUTNEW Latitud Longitud
                   | rename Latitud as latitud, Longitud as longitud
                   | rex field=Description mode=sed "s/^[down down |*down down |up up ]//g" 
                   | eval Description=if((isnull(Description) OR Description=""),"LIBRE -- libre",Description) 
                   | eval Estado=case((like(PortState,"%UP%") AND like(Description,"%LIBRE%")),"Libre",
                   (PortState="down" OR PortState="Down"),"Libre",1==1,"Ocupado") 
                    | stats count(puerto) as Total count(eval(Estado="Libre")) as Libres 
                     count(eval(Estado="Ocupado")) as Ocupados values(latitud) as latitud values(longitud) as 
                   longitud by Nodo 
                  | eval ocupacion=round(((Ocupados*100)/Total),0) 
                  | geostats latfield=latitud longfield=longitud values(ocupacion) as count by Nodo
       <earliest>0</earliest>
      <latest></latest>
      <sampleRatio>1</sampleRatio>
     </search>
    <option name="drilldown">all</option>
    <option name="mapping.data.maxClusters">100</option>
    <option name="mapping.fieldColors">{"error":0xFF0000,"warn":0xFFFF00,"info":0x00FF00}</option>
    <option name="mapping.map.center">(-23.59484,-46.68712)</option>
    <option name="mapping.map.zoom">3</option>
    <option name="mapping.markerLayer.markerMaxSize">31</option>
    <option name="mapping.markerLayer.markerMinSize">30</option>
    <option name="mapping.seriesColors">[0x6dc066,0xffd700,0xe60026]</option>
    <option name="mapping.tileLayer.maxZoom">19</option>
    <option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
    <option name="mapping.type">marker</option>
    <option name="trellis.enabled">0</option>
    <option name="trellis.scales.shared">1</option>
    <option name="trellis.size">medium</option>
    <drilldown>
      <set token="Nodo">$click.name$</set>
    </drilldown>
  </map>
</panel>
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...