All Apps and Add-ons

Not getting the store value in pop ups on dots in map.

kumar_pashupati
New Member

Please tell me how to get the store value in pop ups in the map after hovering. Here in the output , based on the condition, dots display.I want to display store number in pop ups on dots in map. Whenever I change the query, color condition fails.My query is working fine but not showing the store value in pop ups on dots in map.Below is the query.

| inputlookup store_data_api.csv
| rename store_number as store
| eval storeStatus = "1"

        | join type=left store
          [

              | search index="mon_prod" device="pos" ( (process="cpu_metrics") OR (process="mem_metrics") OR (process="top_process_metrics") OR (process="disk_usage_metrics" disk_mount_point="/" ) ) 
              | stats avg(cpu_total) as cpu_avg, latest(process_mem) as process_mem, latest(disk_used) as disk_used, latest(disk_available) as disk_available, latest(memtotal) as memtotal, latest(memfree) as memfree count by deviceid, device, store 
              | eval disk_percent = ((disk_used/(disk_available+disk_used))*100) 
              | eval mem_percent = (((memtotal-memfree)/memtotal)*100) 
              | eval status = case(
                 ((cpu_avg >=95) OR (disk_percent >=90) OR (mem_percent >=98) OR (process_mem >1)),"3000", 
((cpu_avg < 95 and cpu_avg >90) OR (disk_percent <90 and disk_percent >=70) OR (mem_percent < 98 and mem_percent >=94 ) OR (process_mem =1)),"2000" ,
((cpu_avg <90 and cpu_avg >= 0) OR (disk_percent < 70) OR (mem_percent < 94 ) OR (process_mem <1)),"1000"
                  ) 
              | table _time,store,deviceid,device,process,cpu_avg,disk_percent,mem_percent,process_mem,status,disk_mount_point 
              | stats count by store status 
              | stats max(status) by store 
              | rename max(status) as storeStatusPOS

          ]

          | join type=left store
          [
                | search index="mon_prod" device="boh" store="*" ( (process="cpu_metrics") OR (process="mem_metrics") OR (process="top_process_metrics") OR (process="disk_usage_metrics" (disk_mount_point="/" OR disk_mount_point="/appl" OR disk_mount_point="/var/lib/postgresql/9.3/main")) ) 
                    | stats  latest(disk_used) as disk_used, latest(disk_available) as disk_available count by deviceid, device, store, disk_mount_point
                    | eval disk_percent = ((disk_used/(disk_available+disk_used))*100) 
                    |lookup devicememvalues.csv deviceid outputnew mem_percent cpu_avg process_mem
                    | eval disk_mount_point=if(disk_mount_point="/","root",disk_mount_point)
                | eval status1 = 
                    if(disk_mount_point="root", case(((cpu_avg >90) OR ( disk_percent >90) OR (mem_percent >98) OR (process_mem >1)),"3000"),"0")
                    | eval status2= 
                    if(disk_mount_point="/appl", case(((cpu_avg >90 and cpu_avg >70) OR (disk_percent >88) OR (mem_percent >98) OR (process_mem >1)),"3000") ,"0")
                    | eval status3=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg >90) OR (disk_percent >85) OR (mem_percent >98) OR (process_mem >1)),"3000"),"0")

                    | eval status4 = 
                    if(disk_mount_point="root", case(((cpu_avg < 90 and cpu_avg >70) OR ( disk_percent >70 and disk_percent <90 ) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000"),"0")
                    | eval status5= 
                    if(disk_mount_point="/appl", case(((cpu_avg < 90 and cpu_avg >70) OR (disk_percent <88 and disk_percent >75) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000") ,"0")
                    | eval status6=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg < 90 and cpu_avg >70) OR (disk_percent <85 and disk_percent >70) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000"),"0") 

                    | eval status7 = 
                    if(disk_mount_point="root", case(((cpu_avg <70 and cpu_avg >= 0) OR ( disk_percent <70) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000"),"0")
                    | eval status8= 
                    if(disk_mount_point="/appl", case(((cpu_avg <70 and cpu_avg >= 0) OR (disk_percent <75) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000") ,"0")
                    | eval status9=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg <70 and cpu_avg >= 0) OR (disk_percent < 70) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000"),"0") | fillnull value=1
                   | eval status=status1." ".status2." ".status3." ".status4." ".status5." ".status6." ".status7." ".status8." ".status9
                   | rex field=status "(?<status>\d{4})"| stats values(status) as status by deviceid,store
                   | eval status = case(status="3000","3000",status="2000","2000",status="1000","1000")
                   | table _time,store,deviceid,device,process,cpu_avg,disk_percent,mem_percent,process_mem,status,disk_mount_point 
               | stats count by store status 
               | stats max(status) by store 
               | rename max(status) as storeStatusBOH

          ]
          | table latitude,longitude,storeStatusPOS,storeStatusBOH,store
          | eval phStore= "PH"+ store
          | eval PP=store
          | eval storeStatus=if(storeStatusPOS>storeStatusBOH,storeStatusPOS,storeStatusBOH)
          | fillnull value=1 storeStatus

         | geostats latfield=latitude longfield=longitude values(phStore) sum(storeStatus) as Total 


          | eval redCount = if(Total>= 3000,Total, 0) 
          | eval yellowCount = if(Total<3000 and Total>=2000,Total, 0) 
          | eval greenCount = if( Total <2000 and Total>=1000,Total,0) 
          | eval greyCount = if( Total < 1000,Total,0)
          | fields - Total,store
0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

If you want the store to show as a hover (tooltip) then you'll need to |eval tooltip=store and make sure tooltip is in your final | table.

If you want store to show as a popup when you click the marker you'll need to | eval description=store and make sure description is in your final | table.

If you want both, | eval tooltip=store, description=store | table latitude, longitude, tooltip, description

0 Karma

kumar_pashupati
New Member

Any Idea , please help

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...