All Apps and Add-ons

Statistics to Choropleth map

to4kawa
Ultra Champion

I am trying to draw a map from coordinate data.
Originally a geojson format file, so I did not create lookup and imported it into Index.

count   featureId   geom
1289    Yokohama    { "type": "Polygon", "coordinates": [ [ [ 139.67603133597743, 35.45629161326741 ], [ 139.67587019455391, 35.455984838329698 ], [ 139.67581192028399, 35.455874054444109 ], [ 139.67579549866343, 35.455865027049413 ], [ 139.6757730219075, 35.455862386639865 ], [ 139.67574019485414, 35.45586863962609 ], [ 139.6757145012233, 35.455885386801185 ], [ 139.67570430560932, 35.455912585897181 ], [ 139.67576016879684, 35.456023531660719 ], [ 139.67582211409933, 35.456004135082821 ], [ 139.67586997421995, 35.456092360374164 ], [ 139.67594143974566, 35.456223891619345 ], [ 139.67593316508362, 35.45623641377955 ], [ 139.67595422810518, 35.456285026632713 ], [ 139.67597513644341, 35.45629405402741 ], [ 139.675981284209, 35.456309107779134 ], [ 139.67603133597743, 35.45629161326741 ] ] ] }

This is my Statistics result.
I want to visualization Choropleth map. But I can't.
I think the information is enough , but what is missing?

0 Karma
1 Solution

to4kawa
Ultra Champion

As a result of the investigation, the coordinates I prepared were wrong.

To draw on the Choropleth map

  1. Correct coordinates
  2. Prepare each count _featureIdField featureCollection geom fields
  3. The setting of _featureIdField is |eval _featureIdField = "featureId" . If there is not featureId, no problem, too.
  4. The type of geom is MultiPolygon

You need these.

cf. IplocationChoropleth

View solution in original post

to4kawa
Ultra Champion

As a result of the investigation, the coordinates I prepared were wrong.

To draw on the Choropleth map

  1. Correct coordinates
  2. Prepare each count _featureIdField featureCollection geom fields
  3. The setting of _featureIdField is |eval _featureIdField = "featureId" . If there is not featureId, no problem, too.
  4. The type of geom is MultiPolygon

You need these.

cf. IplocationChoropleth

rmmiller
Contributor

Great investigation, @to4kawa!!

0 Karma

to4kawa
Ultra Champion

Thank you @rmmiller
I have to find accurate coordinate information 😞
Also, in this case
I understand the behavior of dedup and stats values ().
These hold on top.
The order of the logs is important.

0 Karma

to4kawa
Ultra Champion

e.g. A

| inputlookup geo_us_states
| head 1
| transpose

Results:

column  row 1
_featureIdField featureId
count   0
featureCollection   geo_us_states
featureId   Alabama
geom    {"type":"MultiPolygon","coordinates":[[[[-88.31002807617188,30.233232498168945],[-88.31002807617188,30.233232498168945]]],[[[-88.47322845458984,31.893856048583984],[-88.20295715332031,35.008026123046875],[-85.60516357421875,34.984676361083984],[-85.00250244140625,31.000682830810547],[-88.02840423583984,30.221132278442383],[-88.47322845458984,31.893856048583984]]]]}

There is _featureIdField . If you delete this field (e.g. |fields - _featureIdField ) , Choropleth Map will not work properly.


e.g. B1

| inputlookup geo_us_states
| head 1

e.g. B2

| inputlookup geo_us_states
| head 1
| fields -  featureId

It is easy to understand when compared.
If you delete featureId, it will be drawn only with the coordinates specified in geom .
What data are Splunk using?


e.g. C

| inputlookup geo_us_states
| head 1
| fields -  featureId
| eval geom=replace(geom,"MultiPolygon","Polygon")

Result: Bad
From this result, type is only MultiPolygon . The way of specifying coordinates is different.


e.g. D

| makeresults 
| eval featureCollection="geo_us_states" 
| eval _featureIdField="featureId" 
| eval geom="{\"type\":\"MultiPolygon\",\"coordinates\":[[-88.31002807617188,30.233232498168945],[-88.31002807617188,30.233232498168945],[-88.47322845458984,31.893856048583984],[-88.20295715332031,35.008026123046875],[-85.60516357421875,34.984676361083984],[-85.00250244140625,31.000682830810547],[-88.02840423583984,30.221132278442383],[-88.47322845458984,31.893856048583984]]}" 
| eval count=1

Result:OK
I modified the coordinate of Alabama . please compare e.g. A
From this result, If the coordinates are correct, display is possible.

0 Karma

to4kawa
Ultra Champion

e.g. 1:

| makeresults
| eval featureCollection="geo_countries"
| eval count=1
| eval featureId="Afghanistan" 
| eval geom="{\"type\":\"MultiPolygon\",\"coordinates\":[[[[71.0498046875,38.40866470336914],[71.65302276611328,36.68701171875],[74.89230346679688,37.23111343383789],[71.22307586669922,36.12539291381836],[69.04010772705078,31.673107147216797],[65.03636932373047,29.5401611328125],[60.84437942504883,29.858179092407227],[61.269676208496094,35.618499755859375],[71.0498046875,38.40866470336914]]]]}"
| table count featureCollection featureId geom

Result: Bad

e.g. 2:

| makeresults
| eval featureCollection="geo_countries"
| eval count=1
| eval featureId="Afghanistan" 
| eval geom="{\"type\":\"MultiPolygon\",\"coordinates\":[[[[71.0498046875,38.40866470336914],[71.65302276611328,36.68701171875],[74.89230346679688,37.23111343383789],[71.22307586669922,36.12539291381836],[69.04010772705078,31.673107147216797],[65.03636932373047,29.5401611328125],[60.84437942504883,29.858179092407227],[61.269676208496094,35.618499755859375],[71.0498046875,38.40866470336914]]]]}"
| table count featureCollection featureId geom
| geom geo_countries

Result: OK

e.g. 3:

| makeresults
| eval featureCollection="geo_countries"
| eval count=1
| eval featureId="Afghanistan" 
| eval geom="{\"type\":\"MultiPolygon\",\"coordinates\":[[[[71.0498046875,38.40866470336914],[71.65302276611328,36.68701171875],[74.89230346679688,37.23111343383789],[71.22307586669922,36.12539291381836],[69.04010772705078,31.673107147216797],[65.03636932373047,29.5401611328125],[60.84437942504883,29.858179092407227],[61.269676208496094,35.618499755859375],[71.0498046875,38.40866470336914]]]]}"
| table count featureCollection featureId geom
| appendpipe 
    [| geom geo_countries]
| dedup geom

Result: Bad

e.g. 4:

| makeresults
| eval featureCollection="geo_countries"
| eval count=1
| eval featureId="Afghanistan" 
| eval geom="{\"type\":\"MultiPolygon\",\"coordinates\":[[[[71.0498046875,38.40866470336914],[71.65302276611328,36.68701171875],[74.89230346679688,37.23111343383789],[71.22307586669922,36.12539291381836],[69.04010772705078,31.673107147216797],[65.03636932373047,29.5401611328125],[60.84437942504883,29.858179092407227],[61.269676208496094,35.618499755859375],[71.0498046875,38.40866470336914]]]]}"
| table count featureCollection featureId geom
| appendpipe 
    [| geom geo_countries]
    | reverse

Result: OK

e.g. 5:

| makeresults
| eval featureCollection="geo_countries"
| eval count=1
| eval featureId="Afghanistan" 
| eval geom="{\"type\":\"MultiPolygon\",\"coordinates\":[[[[71.0498046875,38.40866470336914],[71.65302276611328,36.68701171875],[74.89230346679688,37.23111343383789],[71.22307586669922,36.12539291381836],[69.04010772705078,31.673107147216797],[65.03636932373047,29.5401611328125],[60.84437942504883,29.858179092407227],[61.269676208496094,35.618499755859375],[71.0498046875,38.40866470336914]]]]}"
| table count featureCollection featureId geom
| appendpipe 
    [| geom geo_countries]
    | stats values(*) as *

Result:Bad

e.g. 6:

| makeresults
| eval featureCollection="geo_countries"
| eval count=1
| eval featureId="Afghanistan" 
| eval geom="{\"type\":\"MultiPolygon\",\"coordinates\":[[[[71.0498046875,38.40866470336914],[71.65302276611328,36.68701171875],[74.89230346679688,37.23111343383789],[71.22307586669922,36.12539291381836],[69.04010772705078,31.673107147216797],[65.03636932373047,29.5401611328125],[60.84437942504883,29.858179092407227],[61.269676208496094,35.618499755859375],[71.0498046875,38.40866470336914]]]]}"
| table count featureCollection featureId geom
| appendpipe 
    [| geom geo_countries]
    | reverse
    | stats values(*) as *

Result: sametimes OK

All stats result is 1 line.
wow , what's happen? Statistics results are same, but Visualization is different.

e.g.6 appears to indicate that your browser has cache.

0 Karma

rmmiller
Contributor

Wow! For each one of those tests, did you change your visualization away from choropleth and back to choropleth? That was the only way I could work around the caching of the previous result.

0 Karma

to4kawa
Ultra Champion

No, I didn't.
I'll try later.
thanks.

0 Karma

rmmiller
Contributor

I think it's because you're missing a field in your result named featureCollection. Without it, choropleth seems confused about what to do with your result.

I was able to recreate this problem using generated data. Your JSON is missing a set of brackets around the coordinates, but that didn't seem to make any difference in my tests. I tried replacing the quad brackets with the triple that appear in your output -- no difference. The same is true with differences in whitespace between your JSON and the output of geom.

| makeresults count=50
| eval raw=split("8.8.8.8,50.19.98.133,54.204.12.32,13.32.83.121",",")
| eval src_ip=mvindex(raw,random()%4)
| iplocation src_ip
| fields - raw
| stats count by Region
| rename Region as featureId
| geom geo_us_states
| eval geom=replace(geom,"\[\[\[\[","[ [ [ ")
| eval geom=replace(geom,"\]\]\]\]","] ] ] ")
| eval geom=replace(geom,"MultiPolygon","Polygon")
`comment("Uncomment the line immediately below to break choropleth")`
`comment("| fields - featureCollection")`
`comment("You will need to change the visualization to something")`
`comment("else and back to choropleth or you will see cache effects")`

IP addresses are for Google DNS, answers.splunk.com, and conf.splunk.com
My guess is if you have a featureCollection field, choropleth will start working as expected.

Hope that helps!
rmmiller

to4kawa
Ultra Champion

Thank you for your reply.
This works fine. I will try various things.

0 Karma

rmmiller
Contributor

What if you change your type from "Polygon" to "MultiPolygon"?

0 Karma

to4kawa
Ultra Champion

I changed it like below, but it was no good.

| eval geom=replace(geom,"Polygon","MultiPolygon")

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...