Solved: Why is Splunk Map not showing correct results when...

dhavamanis · ‎01-08-2015

We are using the query below with Splunk Map, but it's not showing the correct results.

index=idxmember | lookup geolookup "Primary_Address_ZIP" as "Primary_Address_ZIP" OUTPUT latitude , longitude |geostats latfield=latitude longfield=longitude count by Primary_Address_ZIP

If I filter by a single zip code, the results are correct, but if there are more entries for a zip code, it is not plotting correctly. For example, we have the entry zipcode-60134 = 500529. It is not showing the correct result if I try to plot with all other zip codes. If I filter like below, it is working properly.

index=idxmember Primary_Address_ZIP=60134 | lookup geolookup "Primary_Address_ZIP" as "Primary_Address_ZIP" OUTPUT latitude , longitude |geostats latfield=latitude longfield=longitude count by Primary_Address_ZIP

Can you please tell us how to fix this issue?

dhavamanis · ‎02-18-2015

When we try to plot more than 40000 unique zipcode results in pie chart, somehow its breaking the final results in pie chart and not showing correct count. So we have restricted only top 20 zipcode results to display in map pie chart and its started showing correct count.

index=idxmember brand_name=* | top limit=20 Primary_Address_ZIP, latitude, longitude | geostats latfield=latitude longfield=longitude sum(count) by Primary_Address_ZIP globallimit=0

View solution in original post

dhavamanis · ‎02-18-2015

When we try to plot more than 40000 unique zipcode results in pie chart, somehow its breaking the final results in pie chart and not showing correct count. So we have restricted only top 20 zipcode results to display in map pie chart and its started showing correct count.

index=idxmember brand_name=* | top limit=20 Primary_Address_ZIP, latitude, longitude | geostats latfield=latitude longfield=longitude sum(count) by Primary_Address_ZIP globallimit=0

martin_mueller · ‎01-09-2015

As indicated by the warning message, you could use the globallimit setting to increase or disable this limit. I'm not sure how well it'd handle such a high number, ymmv.

dhavamanis · ‎01-09-2015

Thanks Martin, We have opened the Splunk support case and waiting for their response.

martin_mueller · ‎01-09-2015

Splitting by such a diverse field would create 37560 columns, 37560 different colours on your map, pies with up to 37560 slices, and general trouble.

dhavamanis · ‎01-09-2015

Can you please tell us, is there any way to control this and just show count for each of the zipcode without mismatch?.

martin_mueller · ‎01-08-2015

Do provide some info on what's wrong about the displayed data. Screenshots, sample data, wrong output, desired output, etc.

dhavamanis · ‎01-09-2015

Once after report complete getting the below warning message

Warning message:

"split by field Primary_Address_ZIP has large number of unique values 37560 . Chart column set will be trimmed to 10. Use globallimit argument to control column count"

Why is Splunk Map not showing correct results when trying to plot multiple zip codes?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk