All Apps and Add-ons

How to change bin value ranges using choropleth map?

jmchilde
Explorer

Hello,

I currently have 9 bins enabled. The lowest default bin range on my map is 0-600k, which is assigned the white color. All but one country fall into the 0-600k range, so only one country is highlighted while the others are all white. This doesn't give me very good contrast on all of the other countries.

How can I change the the bin value ranges? For example, lowering the smallest bin range (white) to 0-50 means any country with a value greater than 50 would be assigned a color (not white).

1 Solution

mporath_splunk
Splunk Employee
Splunk Employee

Unfortunately that's not possible at this moment with Splunk 6.3..

Let me offer you an alternative. Often when something like this happens it's because the one country's population (or user base or similar metric) is far larger than all other countries, outweighing all other countries when simply counting a metric. Take for example the use case of web analytics. The US with its ~320M will likely generate many more visitors than, say, Switzerland with its ~8M.

One way around that is to normalize the metric. Three examples:

  • You could do something like visits per capita (dividing visits by the population number for each country).
  • You could compare a number for this week to the same metric last week.
  • You could compare each number to a predefined goal or target

That being said, it's absolutely possible that none of these will work for your use case, and you are indeed interested in absolute numbers.

View solution in original post

Reimer1291
Engager

If you want to avoid bins being colored white, you can use the "Divergent" color option with an even number of bins.

mporath_splunk
Splunk Employee
Splunk Employee

Unfortunately that's not possible at this moment with Splunk 6.3..

Let me offer you an alternative. Often when something like this happens it's because the one country's population (or user base or similar metric) is far larger than all other countries, outweighing all other countries when simply counting a metric. Take for example the use case of web analytics. The US with its ~320M will likely generate many more visitors than, say, Switzerland with its ~8M.

One way around that is to normalize the metric. Three examples:

  • You could do something like visits per capita (dividing visits by the population number for each country).
  • You could compare a number for this week to the same metric last week.
  • You could compare each number to a predefined goal or target

That being said, it's absolutely possible that none of these will work for your use case, and you are indeed interested in absolute numbers.

carlkennedy
Path Finder

Did this option get added in 6.4 or 6.5? If not, is it on the roadmap for a future release? I am using states and four bins. The largest value for a particular state is 94,000. My buckets have these ranges:
0 - 60,000
60,000 - 120,000
120,000 - 180,000
180,000 - 240,000

0 Karma

jmchilde
Explorer

Thanks for that. Unfortunately, I am comparing absolute values but I really appreciate the alternatives. I'd definitely like to see this option added as a feature similar to how you add a neutral point in the divergent map. The choropleth map is not useful if any absolute values are significantly deviated.

0 Karma

gchung_splunk
Splunk Employee
Splunk Employee

How about group it by yourself as a workaround? Try something like this:

| eval count= case(count<=10,"0-10", count>10 AND count<=100, "11-100", count<=10000, "101-10000", count>10000, "10000+")

And group it by Categorical?

mporath_splunk
Splunk Employee
Splunk Employee

@gchung's answer would work! If categorical coloring doesn't work as expected, you could define your own mapping.seriesColors option, e.g. with values {"0-10": "#FAEDA5", "11-100": #F7B44C, "101-10000", : "#FF4B2A""10000+": "#C10028"}, which is a gradient from yellow to red

0 Karma

brettwilliams
Path Finder

This definitely is interesting... and it seems like it would work if the cases match the expected results. What about ranking with streamstats and then putting these in bins?

index=index "Login succeeded" | iplocation source_ip | stats count by Country | sort -count | streamstats count as rank | bucket rank span=5 as bucket

And somehow combining it with a working geom search, but using the categories which match the bucket field instead of the count:

index=index "Login succeeded" | iplocation source_ip | lookup geo_us_states longitude as lon, latitude as lat | stats count by featureId | geom geo_us_states
0 Karma

Simon
Contributor

I'm using kmeans to create dynamic "categories" based on a numeric field:

index=index "Login succeeded" | iplocation source_ip | lookup geo_us_states longitude as lon, latitude as lat | stats count by featureId | geom geo_us_states  | kmeans k=5 count | eventstats min(count) AS min, max(count) AS max by CLUSTERNUM | sort min | eval count=min."-".max | fields - CLUSTERNUM centroid_count max min

where
- k=5 defines the number of clusters/categories (5 in this case)
- evenstats / eval is used to create a dynamic label for the category in the field "count" showing min and max of count

HTH.

Best,
Simon

0 Karma

GRMcCauley
Explorer

@Simon - This is VERY helpful. Thank You!

0 Karma

jmchilde
Explorer

Thanks all. I will give this a try!

0 Karma

TonyLeeVT
Builder

Thanks for all the input on this issue.

@jmchilde - Did it work?

@mporath_splunk - Could you please provide a working example?

0 Karma

jdswanson
Explorer

I concur. Would like to see custom bins for absolute values.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...