topic Re: Splunk choropleth world map not working in Security

Splunk choropleth world map not working

shashankk — Tue, 16 Dec 2025 16:00:29 GMT

I am trying to setup Splunk choropleth world map for the first time.

Refer below splunk query:

index=app_events_test source="/test/path/*hot*/*" | rex field=_raw "Priority\=(?<Priority>[^,]+)" | rex "===>.+\s*LOC=(?<LOC>[A-Z0-9]+)" | rex "(?:=\s*\{3\}|\s*\\|\s*<|\s*-(3))|\s*TRN[:\\*]\s*(?<trn>[^\s]+)" | rex "TEST\.RCV\.FROM\.(?<TestScanMQ>.*)\s*@" | where Priority IN ("High", "Medium") | join type=left LOC [| inputlookup geolocation.csv | fields LOC, country, latitude, longitude, region] | where isnotnull(latitude) AND isnotnull(longitude) | stats count AS total_events, count(eval(Priority="High")) AS high_count, count(eval(Priority="Medium")) AS medium_count by LOC, country, latitude, longitude, region | sort - total_events

I am displaying output in below Table columns:

LOC | country | latitude | longitude | region | total_events | high_count | medium_count

How do I visualize this data in Cluster Map (choropleth world map)

Refer attached screenshot from Visualization tab - it says "Latitude & Longitude must be valid numbers"

Please note the columns (Latitude & Longitude) having Numeric values only.

Re: Splunk choropleth world map not working

livehybrid — Tue, 16 Dec 2025 16:51:19 GMT

Hi @shashankk

The centre point must be a latitude and longitude numerical value, you have put 'latitude' in the latitude box not a numeric value.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Splunk choropleth world map not working

shashankk — Tue, 16 Dec 2025 17:18:47 GMT

@livehybrid Thank you for your response.

Yes, I agree we need to pass Numeric value in Latitude and Longitude fields.

But, here I am showing the Numeric values in Table output of my SPL query. How do I pass these query output column values to Visualization fields?

Kindly suggest.

Re: Splunk choropleth world map not working

tscroggins — Sat, 20 Dec 2025 16:21:53 GMT

Hi @shashankk,

Choropleth maps use arrays of latitude and longitude vertices to draw polygons. The Splunk geom search command uses lookups to map feature identifiers to shapes, typically aligned to something represented by the underlying map data.

For example:

| makeresults format=csv data="src_ip
8.8.8.8
8.8.4.4"
| iplocation src_ip
| stats count by Region
| geom geo_us_states featureIdField="Region"

will produce geometry for the state of California:

In your example, choose a feature representing your normalized magnitude (count, density, etc.) and then use the geom command with an appropriate lookup:

| stats count as total_events by country
| geom geo_countries allFeatures=true featureIdField="country"

If you want to display multiple statistics, use the geostats search command with the Cluster Map visualization:

| geostats globallimit=0 latfield=latitude longfield=longitude count as total_events, count(eval(Priority="High")) as high_count, count(eval(Priority="Medium")) as medium_count

The General visualization settings allow you to set the map center using directly entered latitude and longitude values. To center on Switzerland, for example, use latitude 46.801 and longitude 8.227: