Archive
Highlighted

Trouble with Choropleth US Map

Path Finder

I am trying to generate a Cloropleth map of IPs in the US. I have already created on for countries of the world. For that I have successfully used:

<Base_Search>
| iplocation src_ip
| stats count by Country
| where Country!="United States" 
| geom geo_countries featureIdField=Country

Great.

I want to create a new map of JUST the United States, and show IPs by state. I am having some trouble there. When I run:

 |inputlookup geo_attr_us_states

I see that I have data. Ok.
When I run:

| iplocation src_ip
| where Country="United States"
| table clientip, status, City, State, Country

I see that I have a table that shows the cities and countries, but not the states for the IP addresses. I figure this might be an issue. Back when I ran the inputlookup, I see that the data I get back are statecode, statefips, state_name. I try to run:

| iplocation src_ip
| where Country="United States"
| geom geo_countries featureIdField=state_name

And state_name is blank for all events.

The fact that Splunk knows the city name of the IP, would suggest that it should know the state as well...

I see on https://answers.splunk.com/answers/334780/can-someone-provide-an-example-for-geom-counts-bas-1.html That there is a comment that suggests that:

| iplocation src_ip
| where Country="United States"
| stats count by src_ip 
| geom geo_us_states featureIdField=src_ip

Might work. And it looks like it almost does. But, geom is blank on the statistics tab.

Anyone know what I might be doing wrong?

0 Karma
Highlighted

Re: Trouble with Choropleth US Map

Motivator

Hi @stakor,
I work on Choropleth map documentation. Taking a look at your notes here and will try to suggest something. Please stay tuned!

0 Karma
Highlighted

Re: Trouble with Choropleth US Map

Motivator

Hi again, @stakor,
I think there are a couple things going on here.

I'd start by seeing what the generated srcip field looks like. You could run this much of your query:
| iplocation src
ip
| where Country="United States"
| stats count by src_ip

To see what the statistics table includes in the srcip column. I suspect there is a mismatch between definitions in geousstates and the srcip information that is preventing aggregated values being mapped on the US map.

Try extracting the IP field and using the geostats command to generate lat and longitude coordinates for the IP locations so that they can be mapped. We have a scenario that shows you how to extract an IP location field, derive latitude and longitude info from it, and use this info with mapping commands as part of creating a dashboard. In particular, these two parts are relevant to your situation:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Extractfields

https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Adddrilldownpanels#Part_5:_Create_a_dri...

There is also this Choropleth generation topic in our Dashboards and Visualizations manual:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/ChoroplethGenerate

Based on these two docs resources, I put together this sample search with test data:

sourcetype=secure |dedup clientip | iplocation prefix=cip_ clientip | geostats latfield=ciplat longfield=ciplon | lookup geousstates longitude as longitude, latitude as latitude | stats count by featureId| geom geousstates

This generates the featureIds that are necessary for the geom command to render the map. You should be able to adapt this for your use case and generate the Choropleth map.

Hope this helps!

View solution in original post

Highlighted

Re: Trouble with Choropleth US Map

Path Finder

When I run:

| iplocation srcip
| where Country="United States"
| stats count by src
ip

I get a table of:
src_ip count

There are a number of src_ip's and there appears to be an accurate count. But those are the two fields that result.

Highlighted

Re: Trouble with Choropleth US Map

Path Finder

| iplocation srcip
| where Country="United States"
| stats count by src
ip
| geom geousstates featureIdField="State"

Produces a world map, and the legend shows a number of IP addresses.

0 Karma
Highlighted

Re: Trouble with Choropleth US Map

Path Finder

| iplocation srcip
| lookup geo
usstates longitude as Longitude, latitude as Latitude
| stats count by src
ip
| geom geousstates

Also produces a world map with a legend of IP addresses.

Highlighted

Re: Trouble with Choropleth US Map

Motivator

Thanks for the additional details. I updated my post as I worked through a couple of things to reproduce a choropleth map of ip addresses (see my answer).

When you generate the Choropleth map, it will always show a world map in the "Visualizations" tab. You have to scroll and zoom over to the U.S. to show the shaded states. Can you try scrolling and zooming to see if the US Choropleth map generated as expected? I think the required lats and lons might be missing for the shape rendering to work properly. See my answer above for some more suggestions on adjusting the search.

0 Karma
Highlighted

Re: Trouble with Choropleth US Map

Path Finder

That did it. I just changed clientip to src_ip, and it worked like a charm.

Thank you very much.

Highlighted

Re: Trouble with Choropleth US Map

Motivator

Excellent! So glad to hear that that helped.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.