All Apps and Add-ons

Not getting the store value in pop ups on dots in map.

kumar_pashupati
New Member

Please tell me how to get the store value in pop ups in the map after hovering. Here in the output , based on the condition, dots display.I want to display store number in pop ups on dots in map. Whenever I change the query, color condition fails.My query is working fine but not showing the store value in pop ups on dots in map.Below is the query.

| inputlookup store_data_api.csv
| rename store_number as store
| eval storeStatus = "1"

        | join type=left store
          [

              | search index="mon_prod" device="pos" ( (process="cpu_metrics") OR (process="mem_metrics") OR (process="top_process_metrics") OR (process="disk_usage_metrics" disk_mount_point="/" ) ) 
              | stats avg(cpu_total) as cpu_avg, latest(process_mem) as process_mem, latest(disk_used) as disk_used, latest(disk_available) as disk_available, latest(memtotal) as memtotal, latest(memfree) as memfree count by deviceid, device, store 
              | eval disk_percent = ((disk_used/(disk_available+disk_used))*100) 
              | eval mem_percent = (((memtotal-memfree)/memtotal)*100) 
              | eval status = case(
                 ((cpu_avg >=95) OR (disk_percent >=90) OR (mem_percent >=98) OR (process_mem >1)),"3000", 
((cpu_avg < 95 and cpu_avg >90) OR (disk_percent <90 and disk_percent >=70) OR (mem_percent < 98 and mem_percent >=94 ) OR (process_mem =1)),"2000" ,
((cpu_avg <90 and cpu_avg >= 0) OR (disk_percent < 70) OR (mem_percent < 94 ) OR (process_mem <1)),"1000"
                  ) 
              | table _time,store,deviceid,device,process,cpu_avg,disk_percent,mem_percent,process_mem,status,disk_mount_point 
              | stats count by store status 
              | stats max(status) by store 
              | rename max(status) as storeStatusPOS

          ]

          | join type=left store
          [
                | search index="mon_prod" device="boh" store="*" ( (process="cpu_metrics") OR (process="mem_metrics") OR (process="top_process_metrics") OR (process="disk_usage_metrics" (disk_mount_point="/" OR disk_mount_point="/appl" OR disk_mount_point="/var/lib/postgresql/9.3/main")) ) 
                    | stats  latest(disk_used) as disk_used, latest(disk_available) as disk_available count by deviceid, device, store, disk_mount_point
                    | eval disk_percent = ((disk_used/(disk_available+disk_used))*100) 
                    |lookup devicememvalues.csv deviceid outputnew mem_percent cpu_avg process_mem
                    | eval disk_mount_point=if(disk_mount_point="/","root",disk_mount_point)
                | eval status1 = 
                    if(disk_mount_point="root", case(((cpu_avg >90) OR ( disk_percent >90) OR (mem_percent >98) OR (process_mem >1)),"3000"),"0")
                    | eval status2= 
                    if(disk_mount_point="/appl", case(((cpu_avg >90 and cpu_avg >70) OR (disk_percent >88) OR (mem_percent >98) OR (process_mem >1)),"3000") ,"0")
                    | eval status3=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg >90) OR (disk_percent >85) OR (mem_percent >98) OR (process_mem >1)),"3000"),"0")

                    | eval status4 = 
                    if(disk_mount_point="root", case(((cpu_avg < 90 and cpu_avg >70) OR ( disk_percent >70 and disk_percent <90 ) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000"),"0")
                    | eval status5= 
                    if(disk_mount_point="/appl", case(((cpu_avg < 90 and cpu_avg >70) OR (disk_percent <88 and disk_percent >75) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000") ,"0")
                    | eval status6=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg < 90 and cpu_avg >70) OR (disk_percent <85 and disk_percent >70) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000"),"0") 

                    | eval status7 = 
                    if(disk_mount_point="root", case(((cpu_avg <70 and cpu_avg >= 0) OR ( disk_percent <70) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000"),"0")
                    | eval status8= 
                    if(disk_mount_point="/appl", case(((cpu_avg <70 and cpu_avg >= 0) OR (disk_percent <75) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000") ,"0")
                    | eval status9=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg <70 and cpu_avg >= 0) OR (disk_percent < 70) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000"),"0") | fillnull value=1
                   | eval status=status1." ".status2." ".status3." ".status4." ".status5." ".status6." ".status7." ".status8." ".status9
                   | rex field=status "(?<status>\d{4})"| stats values(status) as status by deviceid,store
                   | eval status = case(status="3000","3000",status="2000","2000",status="1000","1000")
                   | table _time,store,deviceid,device,process,cpu_avg,disk_percent,mem_percent,process_mem,status,disk_mount_point 
               | stats count by store status 
               | stats max(status) by store 
               | rename max(status) as storeStatusBOH

          ]
          | table latitude,longitude,storeStatusPOS,storeStatusBOH,store
          | eval phStore= "PH"+ store
          | eval PP=store
          | eval storeStatus=if(storeStatusPOS>storeStatusBOH,storeStatusPOS,storeStatusBOH)
          | fillnull value=1 storeStatus

         | geostats latfield=latitude longfield=longitude values(phStore) sum(storeStatus) as Total 


          | eval redCount = if(Total>= 3000,Total, 0) 
          | eval yellowCount = if(Total<3000 and Total>=2000,Total, 0) 
          | eval greenCount = if( Total <2000 and Total>=1000,Total,0) 
          | eval greyCount = if( Total < 1000,Total,0)
          | fields - Total,store
0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

If you want the store to show as a hover (tooltip) then you'll need to |eval tooltip=store and make sure tooltip is in your final | table.

If you want store to show as a popup when you click the marker you'll need to | eval description=store and make sure description is in your final | table.

If you want both, | eval tooltip=store, description=store | table latitude, longitude, tooltip, description

0 Karma

kumar_pashupati
New Member

Any Idea , please help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...