I'm trying to change the colour of my markers on my map. I have this within the query:
> eval redCount = if(TOTAL >= > 10,TOTAL,0) | eval yellowCount = > if((TOTAL >= 1 AND TOTAL < > 10),TOTAL,0) | eval greenCount = > if(TOTAL < 1,TOTAL,0) |
And then I'm adding this into the XML
I'm basically following the steps detailed here: https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html
Problem is that the markers remain green even though my stats value is > 10 (so should display red).
Here's the whole of the query:
index=A sourcetype=B | eval WARNFORTHISERROR=if(MESSAGETYPE=1,0,1) | append [search sourcetype=C index=2196161_23*_scada Type=Error | eval WARNFORTHISERROR=if(Type=Error,0,1)] | search WARNFORTHISERROR=1 | lookup LOOKUP.csv index OUTPUT latitude longitude | rename latitude as lat longitude as lon | geostats count as TOTAL | eval redCount = if(TOTAL >= 10,TOTAL,0) | eval yellowCount = if((TOTAL >= 1 AND TOTAL < 10),TOTAL,0) | eval greenCount = if(TOTAL < 1,TOTAL,0) |
I worked it out myself!
The greenCount, yellowCount and redCount seem pointless as actually there are parameters in the XML that need changing:
<option name="leaflet_maps_app.leaflet_maps.criticalThreshold">2</option> <option name="leaflet_maps_app.leaflet_maps.warningThreshold">1</option>