All Apps and Add-ons

Not getting the store value in pop ups on dots in map.

kumar_pashupati
New Member

Please tell me how to get the store value in pop ups in the map after hovering. Here in the output , based on the condition, dots display.I want to display store number in pop ups on dots in map. Whenever I change the query, color condition fails.My query is working fine but not showing the store value in pop ups on dots in map.Below is the query.

| inputlookup store_data_api.csv
| rename store_number as store
| eval storeStatus = "1"

        | join type=left store
          [

              | search index="mon_prod" device="pos" ( (process="cpu_metrics") OR (process="mem_metrics") OR (process="top_process_metrics") OR (process="disk_usage_metrics" disk_mount_point="/" ) ) 
              | stats avg(cpu_total) as cpu_avg, latest(process_mem) as process_mem, latest(disk_used) as disk_used, latest(disk_available) as disk_available, latest(memtotal) as memtotal, latest(memfree) as memfree count by deviceid, device, store 
              | eval disk_percent = ((disk_used/(disk_available+disk_used))*100) 
              | eval mem_percent = (((memtotal-memfree)/memtotal)*100) 
              | eval status = case(
                 ((cpu_avg >=95) OR (disk_percent >=90) OR (mem_percent >=98) OR (process_mem >1)),"3000", 
((cpu_avg < 95 and cpu_avg >90) OR (disk_percent <90 and disk_percent >=70) OR (mem_percent < 98 and mem_percent >=94 ) OR (process_mem =1)),"2000" ,
((cpu_avg <90 and cpu_avg >= 0) OR (disk_percent < 70) OR (mem_percent < 94 ) OR (process_mem <1)),"1000"
                  ) 
              | table _time,store,deviceid,device,process,cpu_avg,disk_percent,mem_percent,process_mem,status,disk_mount_point 
              | stats count by store status 
              | stats max(status) by store 
              | rename max(status) as storeStatusPOS

          ]

          | join type=left store
          [
                | search index="mon_prod" device="boh" store="*" ( (process="cpu_metrics") OR (process="mem_metrics") OR (process="top_process_metrics") OR (process="disk_usage_metrics" (disk_mount_point="/" OR disk_mount_point="/appl" OR disk_mount_point="/var/lib/postgresql/9.3/main")) ) 
                    | stats  latest(disk_used) as disk_used, latest(disk_available) as disk_available count by deviceid, device, store, disk_mount_point
                    | eval disk_percent = ((disk_used/(disk_available+disk_used))*100) 
                    |lookup devicememvalues.csv deviceid outputnew mem_percent cpu_avg process_mem
                    | eval disk_mount_point=if(disk_mount_point="/","root",disk_mount_point)
                | eval status1 = 
                    if(disk_mount_point="root", case(((cpu_avg >90) OR ( disk_percent >90) OR (mem_percent >98) OR (process_mem >1)),"3000"),"0")
                    | eval status2= 
                    if(disk_mount_point="/appl", case(((cpu_avg >90 and cpu_avg >70) OR (disk_percent >88) OR (mem_percent >98) OR (process_mem >1)),"3000") ,"0")
                    | eval status3=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg >90) OR (disk_percent >85) OR (mem_percent >98) OR (process_mem >1)),"3000"),"0")

                    | eval status4 = 
                    if(disk_mount_point="root", case(((cpu_avg < 90 and cpu_avg >70) OR ( disk_percent >70 and disk_percent <90 ) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000"),"0")
                    | eval status5= 
                    if(disk_mount_point="/appl", case(((cpu_avg < 90 and cpu_avg >70) OR (disk_percent <88 and disk_percent >75) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000") ,"0")
                    | eval status6=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg < 90 and cpu_avg >70) OR (disk_percent <85 and disk_percent >70) OR (mem_percent < 98 and mem_percent >94 ) OR (process_mem =1)),"2000"),"0") 

                    | eval status7 = 
                    if(disk_mount_point="root", case(((cpu_avg <70 and cpu_avg >= 0) OR ( disk_percent <70) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000"),"0")
                    | eval status8= 
                    if(disk_mount_point="/appl", case(((cpu_avg <70 and cpu_avg >= 0) OR (disk_percent <75) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000") ,"0")
                    | eval status9=
                    if(disk_mount_point="/var/lib/postgresql/9.3/main",case(((cpu_avg <70 and cpu_avg >= 0) OR (disk_percent < 70) OR (mem_percent <94 and mem_percent >=0 ) OR (process_mem <1)),"1000"),"0") | fillnull value=1
                   | eval status=status1." ".status2." ".status3." ".status4." ".status5." ".status6." ".status7." ".status8." ".status9
                   | rex field=status "(?<status>\d{4})"| stats values(status) as status by deviceid,store
                   | eval status = case(status="3000","3000",status="2000","2000",status="1000","1000")
                   | table _time,store,deviceid,device,process,cpu_avg,disk_percent,mem_percent,process_mem,status,disk_mount_point 
               | stats count by store status 
               | stats max(status) by store 
               | rename max(status) as storeStatusBOH

          ]
          | table latitude,longitude,storeStatusPOS,storeStatusBOH,store
          | eval phStore= "PH"+ store
          | eval PP=store
          | eval storeStatus=if(storeStatusPOS>storeStatusBOH,storeStatusPOS,storeStatusBOH)
          | fillnull value=1 storeStatus

         | geostats latfield=latitude longfield=longitude values(phStore) sum(storeStatus) as Total 


          | eval redCount = if(Total>= 3000,Total, 0) 
          | eval yellowCount = if(Total<3000 and Total>=2000,Total, 0) 
          | eval greenCount = if( Total <2000 and Total>=1000,Total,0) 
          | eval greyCount = if( Total < 1000,Total,0)
          | fields - Total,store
0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

If you want the store to show as a hover (tooltip) then you'll need to |eval tooltip=store and make sure tooltip is in your final | table.

If you want store to show as a popup when you click the marker you'll need to | eval description=store and make sure description is in your final | table.

If you want both, | eval tooltip=store, description=store | table latitude, longitude, tooltip, description

0 Karma

kumar_pashupati
New Member

Any Idea , please help

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...