topic geostats cluster map drilldown: what token/s are available? in Dashboards & Visualizations

geostats cluster map drilldown: what token/s are available?

cmeo — Mon, 29 May 2017 13:14:42 GMT

I am using the cluster map visualisation and geostats, and I'd like to be able to drilldown on each cluster and show formatted details of all the entities in that area. I can get the raw events for the sourcetype with the default drilldown, but what tokens are available if I want to drill to another dashboard instead? The docs seem to be vague on this point, and the applicable Answers are more than two years old.
There seems to be a thing called a geobin which is added to the events in the initial map, but I can see how to generate a useful filter for the target dashboard and panel.

Re: geostats cluster map drilldown: what token/s are available?

niketn — Tue, 30 May 2017 09:18:10 GMT

@cmeo Predefined tokens for Map can be found at the following Splunk Documentation link.

http://docs.splunk.com/Documentation/Splunk/latest/Viz/PanelreferenceforSimplifiedXML#map_2

Re: geostats cluster map drilldown: what token/s are available?

cmeo — Tue, 29 Sep 2020 14:16:25 GMT

The docs are fine as far as they go, but the Auto drilldown for the map looks like this:
sourcetype=customer | eval l_location=upper(location) | eval state="VIC" | lookup locations suburb as l_location state output lat lon | search lat>=-35.85938 lat<-35.15625 lon>=143.43750 lon<144.84375

So it is automatically generating a latitude and longitude range presumably corresponding to the radius of the cluster marker, and supplying this in the search parameters. I cannot see how to pass this range in custom tokens, since the properties of the cluster marker aren't available. The statistics table for the parent map has four fields: geobin, latitude, longitude and a count (of what I'm not sure, not customers certainly) if there's a way to group the lats and longs I don't see it.
As an experiment I tried passing $click.lat.value$ into the child dashboard to see what I got, which was exactly one lat value--no range. So, what magic is going on here?

Re: geostats cluster map drilldown: what token/s are available?

jeffland — Tue, 30 May 2017 11:57:03 GMT

You are probably looking for $click.bounds.orientation$. In your example above,

| search lat>=-35.85938 lat<-35.15625 lon>=143.43750 lon<144.84375

the search with tokens would have been

| search lat>=$click.bounds.south$ lat<$click.bounds.north$ lon>=$click.bounds.west$ lon<$click.bounds.east$

(maybe I've confused east and west there, you might have to check). But this is how you get all events matching the lat/lon bounds produced by the cluster.

Re: geostats cluster map drilldown: what token/s are available?

cmeo — Tue, 29 Sep 2020 14:17:21 GMT

OK thanks to the responders, problem solved. Create tokens for the four values passed (N, S, E, W limits) and make sure the target search includes lats and longs.
For instance:
sourcetype=customer| eval l_location=upper(location)|eval state="VIC" | lookup locations suburb as l_location state output lat lon | where (lon >= $lon1$ AND lon < $lon2$) AND (lat >= $lat2$ AND lat < $lat1$) | sort surname1 | table firstname1 surname1 phone1 email1 address location
And the thing that threw me: I'm in the southern hemisphere, note that the relation operators for lats are reversed because all our lats are negative! Thanks to my good lady wife for spotting that one...D'oh!