Solved: Re: How to change bin value ranges using choroplet...

jmchilde · ‎10-13-2015

Hello,

I currently have 9 bins enabled. The lowest default bin range on my map is 0-600k, which is assigned the white color. All but one country fall into the 0-600k range, so only one country is highlighted while the others are all white. This doesn't give me very good contrast on all of the other countries.

How can I change the the bin value ranges? For example, lowering the smallest bin range (white) to 0-50 means any country with a value greater than 50 would be assigned a color (not white).

mporath_splunk · ‎10-13-2015

Unfortunately that's not possible at this moment with Splunk 6.3..

Let me offer you an alternative. Often when something like this happens it's because the one country's population (or user base or similar metric) is far larger than all other countries, outweighing all other countries when simply counting a metric. Take for example the use case of web analytics. The US with its ~320M will likely generate many more visitors than, say, Switzerland with its ~8M.

One way around that is to normalize the metric. Three examples:

You could do something like visits per capita (dividing visits by the population number for each country).
You could compare a number for this week to the same metric last week.
You could compare each number to a predefined goal or target

That being said, it's absolutely possible that none of these will work for your use case, and you are indeed interested in absolute numbers.

View solution in original post

Reimer1291 · ‎07-20-2017

If you want to avoid bins being colored white, you can use the "Divergent" color option with an even number of bins.

mporath_splunk · ‎10-13-2015

Unfortunately that's not possible at this moment with Splunk 6.3..

Let me offer you an alternative. Often when something like this happens it's because the one country's population (or user base or similar metric) is far larger than all other countries, outweighing all other countries when simply counting a metric. Take for example the use case of web analytics. The US with its ~320M will likely generate many more visitors than, say, Switzerland with its ~8M.

One way around that is to normalize the metric. Three examples:

You could do something like visits per capita (dividing visits by the population number for each country).
You could compare a number for this week to the same metric last week.
You could compare each number to a predefined goal or target

That being said, it's absolutely possible that none of these will work for your use case, and you are indeed interested in absolute numbers.

carlkennedy · ‎02-24-2017

Did this option get added in 6.4 or 6.5? If not, is it on the roadmap for a future release? I am using states and four bins. The largest value for a particular state is 94,000. My buckets have these ranges:
0 - 60,000
60,000 - 120,000
120,000 - 180,000
180,000 - 240,000

jmchilde · ‎10-14-2015

Thanks for that. Unfortunately, I am comparing absolute values but I really appreciate the alternatives. I'd definitely like to see this option added as a feature similar to how you add a neutral point in the divergent map. The choropleth map is not useful if any absolute values are significantly deviated.

gchung_splunk · ‎10-25-2015

How about group it by yourself as a workaround? Try something like this:

| eval count= case(count<=10,"0-10", count>10 AND count<=100, "11-100", count<=10000, "101-10000", count>10000, "10000+")

And group it by Categorical?

mporath_splunk · ‎10-26-2015

@gchung's answer would work! If categorical coloring doesn't work as expected, you could define your own mapping.seriesColors option, e.g. with values {"0-10": "#FAEDA5", "11-100": #F7B44C, "101-10000", : "#FF4B2A""10000+": "#C10028"}, which is a gradient from yellow to red

brettwilliams · ‎02-09-2016

This definitely is interesting... and it seems like it would work if the cases match the expected results. What about ranking with streamstats and then putting these in bins?

index=index "Login succeeded" | iplocation source_ip | stats count by Country | sort -count | streamstats count as rank | bucket rank span=5 as bucket

And somehow combining it with a working geom search, but using the categories which match the bucket field instead of the count:

index=index "Login succeeded" | iplocation source_ip | lookup geo_us_states longitude as lon, latitude as lat | stats count by featureId | geom geo_us_states

Simon · ‎06-07-2016

I'm using kmeans to create dynamic "categories" based on a numeric field:

index=index "Login succeeded" | iplocation source_ip | lookup geo_us_states longitude as lon, latitude as lat | stats count by featureId | geom geo_us_states  | kmeans k=5 count | eventstats min(count) AS min, max(count) AS max by CLUSTERNUM | sort min | eval count=min."-".max | fields - CLUSTERNUM centroid_count max min

where
- k=5 defines the number of clusters/categories (5 in this case)
- evenstats / eval is used to create a dynamic label for the category in the field "count" showing min and max of count

HTH.

Best,
Simon

GRMcCauley · ‎08-14-2016

@Simon - This is VERY helpful. Thank You!

jmchilde · ‎10-27-2015

Thanks all. I will give this a try!

TonyLeeVT · ‎10-01-2019

Thanks for all the input on this issue.

@jmchilde - Did it work?

@mporath_splunk - Could you please provide a working example?

jdswanson · ‎10-22-2015

I concur. Would like to see custom bins for absolute values.

How to change bin value ranges using choropleth map?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?