I'm curious whether there is a preferred way of getting the geolocation data in and using it in the searches. We are talking about a company which has many (several dozen) different branches all over the country. The list of those branches will change every now and then, but it will be a rare event.
Right now, just for the sake of getting something working, I created a CSV file of branches containing their longitude and latitude, imported it once and created a couple of maps with underlying searches joining the resulting list of "events" on the location ID before going into 'geostats' command. However, I have a feeling that JOIN is a cumbersome way of doing it. Is there anything better suited for the task?
For mostly static data the most common approach is to put it into a CSV file and upload that as a lookup file. Using that, you can either use that data to enrich events in Splunk indexes with geolocation data, or use the file itself (
| inputlookup file.csv) to draw a map of all branches without any current events from those branches.
A little documentation on lookups: http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Aboutlookupsandfieldactions
That fully satisfies it. I tried uploading my file and then using LOOKUP command and it worked perfectly. My only remaining question would be "How to modify the CSV file I'm using". For example, when the company opens a new branch, we would want to add it to that CSV file. Is it as easy as uploading its modified version under the same name?
You can either drop a replaced file onto the server itself, or upload a new file through the UI, You might need to first delete the file from the UI though.