Clustered Single Value Map not showing correct cou...

tadcarlson · ‎03-19-2018

I am attempting to use the Clustered Single Value Map visualization (CSVM) to show a basic count of login attempts by location. Below is my search.

 index="onlinebanking" sourcetype="Activity" EVENTID=LOGIN | iplocation IPADDRESS | geostats latfield=lat longfield=lon count

However when the map renders, the counts for the clustered values aren't even close to the statistics. The built-in Cluster Map shows the correct results, and the statistics for each search is obviously the same, but for some reason it the CSVM isn't rendering with the correct values and it's not even close. For instance CSVM will display 453 for an area, while the built-in and stats indicate 32,000. I'd really like to get to the drilled-in detail that CSVM provides, but if the values aren't accurate it doesn't do me any good.

damann · ‎04-17-2018

Have you tried to reduce the binspan for your lat and long?

http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Geostats

Try the following:
YOURSEARCH | geostats latfield=lat longfield=lon binspanlat=0.1 binspanlong= 0.1 count

Just play a little with the values to meet your needs.

Clustered Single Value Map not showing correct counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation