All Apps and Add-ons
Highlighted

How to change bin value ranges using choropleth map?

Explorer

Hello,

I currently have 9 bins enabled. The lowest default bin range on my map is 0-600k, which is assigned the white color. All but one country fall into the 0-600k range, so only one country is highlighted while the others are all white. This doesn't give me very good contrast on all of the other countries.

How can I change the the bin value ranges? For example, lowering the smallest bin range (white) to 0-50 means any country with a value greater than 50 would be assigned a color (not white).

Highlighted

Re: How to change bin value ranges using choropleth map?

Splunk Employee
Splunk Employee

Unfortunately that's not possible at this moment with Splunk 6.3..

Let me offer you an alternative. Often when something like this happens it's because the one country's population (or user base or similar metric) is far larger than all other countries, outweighing all other countries when simply counting a metric. Take for example the use case of web analytics. The US with its ~320M will likely generate many more visitors than, say, Switzerland with its ~8M.

One way around that is to normalize the metric. Three examples:

  • You could do something like visits per capita (dividing visits by the population number for each country).
  • You could compare a number for this week to the same metric last week.
  • You could compare each number to a predefined goal or target

That being said, it's absolutely possible that none of these will work for your use case, and you are indeed interested in absolute numbers.

View solution in original post

Highlighted

Re: How to change bin value ranges using choropleth map?

Explorer

Thanks for that. Unfortunately, I am comparing absolute values but I really appreciate the alternatives. I'd definitely like to see this option added as a feature similar to how you add a neutral point in the divergent map. The choropleth map is not useful if any absolute values are significantly deviated.

0 Karma
Highlighted

Re: How to change bin value ranges using choropleth map?

Explorer

I concur. Would like to see custom bins for absolute values.

0 Karma
Highlighted

Re: How to change bin value ranges using choropleth map?

Splunk Employee
Splunk Employee

How about group it by yourself as a workaround? Try something like this:

| eval count= case(count<=10,"0-10", count>10 AND count<=100, "11-100", count<=10000, "101-10000", count>10000, "10000+")

And group it by Categorical?

Highlighted

Re: How to change bin value ranges using choropleth map?

Splunk Employee
Splunk Employee

@gchung's answer would work! If categorical coloring doesn't work as expected, you could define your own mapping.seriesColors option, e.g. with values {"0-10": "#FAEDA5", "11-100": #F7B44C, "101-10000", : "#FF4B2A""10000+": "#C10028"}, which is a gradient from yellow to red

0 Karma
Highlighted

Re: How to change bin value ranges using choropleth map?

Explorer

Thanks all. I will give this a try!

0 Karma
Highlighted

Re: How to change bin value ranges using choropleth map?

Builder

Thanks for all the input on this issue.

@jmchilde - Did it work?

@mporath_splunk - Could you please provide a working example?

0 Karma
Highlighted

Re: How to change bin value ranges using choropleth map?

Path Finder

This definitely is interesting... and it seems like it would work if the cases match the expected results. What about ranking with streamstats and then putting these in bins?

index=index "Login succeeded" | iplocation source_ip | stats count by Country | sort -count | streamstats count as rank | bucket rank span=5 as bucket

And somehow combining it with a working geom search, but using the categories which match the bucket field instead of the count:

index=index "Login succeeded" | iplocation source_ip | lookup geo_us_states longitude as lon, latitude as lat | stats count by featureId | geom geo_us_states
0 Karma
Highlighted

Re: How to change bin value ranges using choropleth map?

Contributor

I'm using kmeans to create dynamic "categories" based on a numeric field:

index=index "Login succeeded" | iplocation source_ip | lookup geo_us_states longitude as lon, latitude as lat | stats count by featureId | geom geo_us_states  | kmeans k=5 count | eventstats min(count) AS min, max(count) AS max by CLUSTERNUM | sort min | eval count=min."-".max | fields - CLUSTERNUM centroid_count max min

where
- k=5 defines the number of clusters/categories (5 in this case)
- evenstats / eval is used to create a dynamic label for the category in the field "count" showing min and max of count

HTH.

Best,
Simon

0 Karma