Dashboards & Visualizations

Inputlookup file KMZ doesn't work

splunk6161
Path Finder

I have performed step by step this blog: "http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/" but doesn't work.
These are the steps I've done:
1- Etxract file cb_2014_us_cd114_500k.kml from cb_2014_us_cd114_500k.zip
2- Zip file cb_2014_us_cd114_500k.kml in my_lookup.kmz
3- Upload the KMZ file to the Lookup table files manager page (see blog)
4- Add new Lookup definitions with the correct XPath (see blog)

So, in search i tried this SPL "| inputlookup my_lookup", this return more then 1000result but i cant see nothing in "statistics" or "visualization"

Where am I wrong?

Thanks

Tags (2)

woodcock
Esteemed Legend

First, read the best treatment of Splunk and mapping anywhere:
https://www.splunk.com/en_us/blog/tips-and-tricks/use-custom-polygons-in-your-choropleth-maps.html

The | inputlookup my_lookup is just to see if you can access the featureId and geom fields inside of you KML or KMZ file. If it is built in such a way that Splunk can use it, you should see many lines returned on the Statistics tab. It sounds like you got this far. If you did not, consider using the Shapester - Geo Shape Editor app on Splunkbase (https://splunkbase.splunk.com/app/2893/) to build some shapes into a KML file that definitely should be Splunk-geo-compatible. If you then click on the Visualization tab, you should be able to see the results on a map but you must do ALL of the following:

1: Select the `Choropleth Map` visualization.
2: Keep `zooming` and `centering` your view until it is positioned over the location of the shapes in your file.
3: If your shapes are small, you will find that the default maps do not allow enough `zoom` to see them; to fix this....
4: Click on the `Format` tool (the `paint brush` icon) and go to the `Tiles` section.
5: Look at the comment that says `The URL to use for requesting tiles, ex: http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png` and grab the `http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png` text and paste it into the `URL` field.  Instantly you should have infinite `zoom` detail.  Really, this is probably the `secret magic` that you lacked.  This is not clearly documented anywhere and we only discovered it by accident playing around.

It really helps to take a look at the Choropleth Map Color Modes example with San Francisco Neighborhoods in the Map Elements area of the Splunk Dashboard Examples app on Splunkbase (https://splunkbase.splunk.com/app/1603/). It shows you how to do everything EXCEPT for the magical #5 step. Although the recommended tile set is really good, there are many, MANY, options out there so be sure to try a variety. Here are some alternative tile sets that render instantly in Splunk:

https://wiki.openstreetmap.org/wiki/Tile_servers
OpenStreetMaps: http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
Wikipedia: https://maps.wikimedia.org/osm-intl/{z}/{x}/{y}.png
OpenCycleMap: http://tile.thunderforest.com/cycle/{z}/{x}/{y}.png
Humanitarian Style: http://a.tile.openstreetmap.fr/hot/{z}/{x}/{y}.png
Hike and Bike: https://tiles.wmflabs.org/hikebike/{z}/{x}/{y}.png
0 Karma

rvany
Communicator

Just leave out the ".kmz" extension

0 Karma

splunk6161
Path Finder

I had written badly in this question, now its correct.

0 Karma

rvany
Communicator

I tried it according to the blog you mentioned and it worked without any complication. Are there any permission problem, e.g. the lookup definition is (app)-private and you try to use it in some different app or context than where you defined it?

0 Karma

splunk6161
Path Finder

This is my configuration:
- Lookup table files: sharing "private" and app "search"
- Lookup definitions: sharing "private" and app "search"
- Owner: the same who created lookup table and lookup definition and run the SPL code.

0 Karma

rvany
Communicator

Where could you see these "more than 1000 results"? After running this command I was directly led to the "statistics" tab with only 441 results.

What's in your /opt/splunk/etc/users/<your_login_name>/search/lookups directory?

I have:

drwx------. 2 splunk splunk     166 21. Jun 12:00 my_lookup
-rw-------. 1 splunk splunk 5528634 21. Jun 11:58 my_lookup.kmz

and in the my_lookup subdir I got:

-rw-------. 1 splunk splunk   328032 21. Jun 12:00 grid.key
-rw-------. 1 splunk splunk 63532814 21. Jun 12:00 grid.val
-rw-------. 1 splunk splunk    63384 21. Jun 12:00 ray.key
-rw-------. 1 splunk splunk    63384 21. Jun 12:00 ray.t.key
-rw-------. 1 splunk splunk 13295927 21. Jun 12:00 ray.t.val
-rw-------. 1 splunk splunk 20392363 21. Jun 12:00 ray.val
-rw-------. 1 splunk splunk 16221144 21. Jun 12:00 seg.key
-rw-------. 1 splunk splunk 16221144 21. Jun 12:00 seg.t.key
-rw-------. 1 splunk splunk 63532814 21. Jun 12:00 seg.t.val
-rw-------. 1 splunk splunk 63532814 21. Jun 12:00 seg.val

If you are on Windows I presume it will should look similar - at least regarding the file-/directory names.

0 Karma

splunk6161
Path Finder

In my /opt/splunk/etc/users//search/lookups directory i don't have the subfolder my_lookup

0 Karma

rvany
Communicator

Did you select type "Geospatial" in the lookup definition?

0 Karma

splunk6161
Path Finder

yes, I have performed step by step the blog.

0 Karma

rvany
Communicator

I re-defined the lookup in my environment and got the same result again.

The my_lookup-dir is created and filled during the first call to | inputlookup my_lookup. So it's not surprising that you don't have it.

Even after redefinition I got 441 entries in my statistics tab, not more than 1000. So what's in your local/transforms.conf-file regarding your my_lookup (located in the same directory as your lookup-dir)?

To check the source: I use cb_2014_us_cd114_500k.zip with a sha256sum of 100d747b89728dd1249a8d83c311691358072e62a9a7aff592edf49321f22083. My uploaded my_lookup.kmz is 5528634 Bytes in size.

Did you define any other lookup named my_lookup some time before?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...